Add configuration properties for SAML2 relying party registration's ASM

This commit allows to configure the location and binding of the Assertion Consumer Service used by a SAML2 relying party. Closes gh-23746
2020-10-19 14:04:49 +02:00 · 2020-10-19 14:04:49 +02:00 · e77dc60744
parent 21f2b95a64
commit e77dc60744
3 changed files with 48 additions and 5 deletions
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java
@ -56,6 +56,11 @@ public class Saml2RelyingPartyProperties {
 		 */
 		private String entityId = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";

+		/**
+		 * Assertion Consumer Service.
+		 */
+		private final Acs acs = new Acs();
+
 		private final Signing signing = new Signing();

 		/**
@ -71,6 +76,10 @@ public class Saml2RelyingPartyProperties {
 			this.entityId = entityId;
 		}

+		public Acs getAcs() {
+			return this.acs;
+		}
+
 		public Signing getSigning() {
 			return this.signing;
 		}
@ -79,6 +88,38 @@ public class Saml2RelyingPartyProperties {
 			return this.identityprovider;
 		}

+		public static class Acs {
+
+			/**
+			 * Assertion Consumer Service location template. Can generate its location
+			 * based on possible variables of "baseUrl", "registrationId", "baseScheme",
+			 * "baseHost", and "basePort".
+			 */
+			private String location = "{baseUrl}/login/saml2/sso/{registrationId}";
+
+			/**
+			 * Assertion Consumer Service binding.
+			 */
+			private Saml2MessageBinding binding = Saml2MessageBinding.POST;
+
+			public String getLocation() {
+				return this.location;
+			}
+
+			public void setLocation(String location) {
+				this.location = location;
+			}
+
+			public Saml2MessageBinding getBinding() {
+				return this.binding;
+			}
+
+			public void setBinding(Saml2MessageBinding binding) {
+				this.binding = binding;
+			}
+
+		}
+
 		public static class Signing {

 			/**
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
@ -42,7 +42,6 @@ import org.springframework.security.saml2.provider.service.registration.RelyingP
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
-import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;

@ -74,8 +73,8 @@ class Saml2RelyingPartyRegistrationConfiguration {
 		Builder builder = (usingMetadata) ? RelyingPartyRegistrations
 				.fromMetadataLocation(properties.getIdentityprovider().getMetadataUri()).registrationId(id)
 				: RelyingPartyRegistration.withRegistrationId(id);
-		builder.assertionConsumerServiceLocation(
-				"{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI);
+		builder.assertionConsumerServiceLocation(properties.getAcs().getLocation());
+		builder.assertionConsumerServiceBinding(properties.getAcs().getBinding());
 		builder.assertingPartyDetails(mapIdentityProvider(properties, usingMetadata));
 		builder.signingX509Credentials((credentials) -> properties.getSigning().getCredentials().stream()
 				.map(this::asSigningCredential).forEach(credentials::add));
--- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java
@ -93,7 +93,8 @@ class Saml2RelyingPartyAutoConfigurationTests {
 			assertThat(registration.getAssertingPartyDetails().getEntityId())
 					.isEqualTo("https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php");
 			assertThat(registration.getAssertionConsumerServiceLocation())
-					.isEqualTo("{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI);
+					.isEqualTo("{baseUrl}/login/saml2/foo-entity-id");
+			assertThat(registration.getAssertionConsumerServiceBinding()).isEqualTo(Saml2MessageBinding.REDIRECT);
 			assertThat(registration.getAssertingPartyDetails().getSingleSignOnServiceBinding())
 					.isEqualTo(Saml2MessageBinding.POST);
 			assertThat(registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()).isEqualTo(false);
@ -186,7 +187,9 @@ class Saml2RelyingPartyAutoConfigurationTests {
 				PREFIX + ".foo.identityprovider.singlesignon.sign-request=false",
 				PREFIX + ".foo.identityprovider.entity-id=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php",
 				PREFIX + ".foo.identityprovider.verification.credentials[0].certificate-location=classpath:saml/certificate-location",
-				PREFIX + ".foo.entity-id={baseUrl}/saml2/foo-entity-id" };
+				PREFIX + ".foo.entity-id={baseUrl}/saml2/foo-entity-id",
+				PREFIX + ".foo.acs.location={baseUrl}/login/saml2/foo-entity-id",
+				PREFIX + ".foo.acs.binding=redirect" };
 	}

 	private boolean hasFilter(AssertableWebApplicationContext context, Class<? extends Filter> filter) {