Fix #8693 Support SAML 2.0 SP Metadata Endpoints

[jkubrynski]

No description provided.

[jzheaux]

Thanks, @jkubrynski! I've left some feedback inline.

[jzheaux]

Thanks for the updates, @jkubrynski. I've left some additional feedback inline.

[jzheaux]

It seems a little odd to provide this as part of saml2Login(). For now, let's leave it out of the DSL as an application can add the filter directly with addFilter

[jkubrynski]

Entity ID patterns used as defaults across spring-security-saml map to the URL, which for me suggest this URL should be available without any external configuration. Why do you think it's odd?

[jzheaux]

Why do you think it's odd?

Because saml2Login() indicates an authentication mechanism, so it should only contain filters related to that.

For example, saml2Login() isn't the place to configure SAML logout.

without any external configuration

Can you elaborate on this point? What I'm suggesting is that an application do:

http
    .saml2Login(saml2 -> {})
    .addFilter(new Saml2MetadataFilter(new OpenSamlMetadataResolver()));

which already seems simple.

[jzheaux]

AssertingPartyDetails represents metadata for the asserting party, i.e. IDPSSODescriptor.

Since you are generating relying party metadata, I would have thought this would be defined in the relying party section.

[jkubrynski]

NameID is a part of the IDPSSODescriptor

[jzheaux]

I believe it's in both. You can see it listed for SPSSODescriptor in this metadata overview document on page 8, section 2.14.

There may be value in adding this in both places, but since we're generating an SPSSODescriptor for this ticket, let's please focus on that use case.

[jzheaux]

The AssertingPartyDetails#singleSignOnServiceBinding conceptually maps to the <SingleSignOnService binding='...'/> attribute.

Instead, I think this should probably be set to POST until RelyingPartyRegistration#assertionConsumerServiceBinding is added in #8776

[jkubrynski]

You cannot simply hardcode POST here, as REDIRECT is pretty common in Saml. I don't get the problem with such usage as above

[jzheaux]

Are you thinking #8776 should be done first? I think it's okay to wait for that.

I don't get the problem with such usage as above

The problem with the above usage is that SingleSignOnService#binding is IDP metadata, but you are generating SP metadata. Since you are wanting to show AssertionConsumerService#binding, you'll want to retrieve that from a semantically equivalent source.

REDIRECT is pretty common in Saml

AFAIK, SAML doesn't allow the usage of REDIRECT for SAML assertions. In the spec line 421 says:

In step 5, the identity provider issues a message to be delivered by the user agent to the service provider. Either the HTTP POST, or HTTP Artifact binding can be used to transfer the message to the service provider through the user agent. The message may indicate an error, or will include (at least) an authentication assertion. The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents.

That doesn't mean that ppl don't do it, but it does mean simplifying that specific use case is a lower priority.

[jzheaux]

I appreciate you being proactive here, but moving things will take a bit more work so that things stay backward compatible. While new filters like Saml2MetadataFilter should go into web, let's please wait on moving existing filters until #8819

[jkubrynski]

I cannot move new filters without moving the rest or changing the visibility of *Utils classes to public. Are you OK with the second one?

[jzheaux]

No, the Utils classes should not be made public. I'd recommend inlining that support, as was done with DefaultSaml2AuthenticationRequestContextResolver. Once everything gets moved, then the code can be changed to call the Utils classes again.

[jzheaux]

@jkubrynski It looks like something funny happened in a recent push -- I'm seeing other commits in your PR. Can you rebase so that only your commits show?

[jzheaux]

@jkubrynski Are you able to make the requested changes or is there something else that I can help with?

[jkubrynski]

Hi, sorry but I don't have more time for this PR. Feel free to polish it on your side or simply close it.

[jzheaux]

Thanks for your contributions here, @jkubrynski, I was able to complete the PR.

I took your commits and squashed them in 8a35524 and then applied a polish in b999faa.

Some of your contributions were left out since more discussion is probably needed to introduce them. First, metadata configuration was left out of the saml2Login DSL. Second, support for SPSSODescriptor#nameIDFormat was left out of OpenSamlMetadataResolver. These can be revisited in additional tickets if you need that support.

Also, to align with #8887 I opted for a simpler contract of just one parameter for Saml2MetadataResolver.