spring-security/docs/modules/ROOT/pages/servlet/saml2/metadata.adoc

[[servlet-saml2login-metadata]]
= Saml 2.0 Metadata

Spring Security can <<parsing-asserting-party-metadata,parse asserting party metadata>> to produce an `AssertingPartyDetails` instance as well as <<publishing-relying-party-metadata,publish relying party metadata>> from a `RelyingPartyRegistration` instance.

[[parsing-asserting-party-metadata]]
== Parsing `<saml2:IDPSSODescriptor>` metadata

You can parse an asserting party's metadata xref:servlet/saml2/login/overview.adoc#servlet-saml2login-relyingpartyregistrationrepository[using `RelyingPartyRegistrations`].

When using the OpenSAML vendor support, the resulting `AssertingPartyDetails` will be of type `OpenSamlAssertingPartyDetails`.
This means you'll be able to do get the underlying OpenSAML XMLObject by doing the following:

====
.Java
[source,java,role="primary"]
----
OpenSamlAssertingPartyDetails details = (OpenSamlAssertingPartyDetails)
        registration.getAssertingPartyDetails();
EntityDescriptor openSamlEntityDescriptor = details.getEntityDescriptor();
----

.Kotlin
[source,kotlin,role="secondary"]
----
val details: OpenSamlAssertingPartyDetails =
        registration.getAssertingPartyDetails() as OpenSamlAssertingPartyDetails;
val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor();
----
====

[[publishing-relying-party-metadata]]
== Producing `<saml2:SPSSODescriptor>` Metadata

You can publish a metadata endpoint by adding the `Saml2MetadataFilter` to the filter chain, as you'll see below:

====
.Java
[source,java,role="primary"]
----
DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
        new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(
        relyingPartyRegistrationResolver,
        new OpenSamlMetadataResolver());

http
    // ...
    .saml2Login(withDefaults())
    .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
----

.Kotlin
[source,kotlin,role="secondary"]
----
val relyingPartyRegistrationResolver: Converter<HttpServletRequest, RelyingPartyRegistration> =
    DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)
val filter = Saml2MetadataFilter(
    relyingPartyRegistrationResolver,
    OpenSamlMetadataResolver()
)

http {
    //...
    saml2Login { }
    addFilterBefore<Saml2WebSsoAuthenticationFilter>(filter)
}
----
====

You can use this metadata endpoint to register your relying party with your asserting party.
This is often as simple as finding the correct form field to supply the metadata endpoint.

By default, the metadata endpoint is `+/saml2/service-provider-metadata/{registrationId}+`.
You can change this by calling the `setRequestMatcher` method on the filter:

====
.Java
[source,java,role="primary"]
----
filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"));
----

.Kotlin
[source,kotlin,role="secondary"]
----
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"))
----
====

Or, if you have registered a custom relying party registration resolver in the constructor, then you can specify a path without a `registrationId` hint, like so:

====
.Java
[source,java,role="primary"]
----
filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));
----

.Kotlin
[source,kotlin,role="secondary"]
----
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata", "GET"))
----
====
Separate SAML Docs Issue gh-10367 2021-10-30 01:29:35 +08:00			`[[servlet-saml2login-metadata]]`
Preserve OpenSamlAssertingPartyDetails Instance Closes gh-12667 2023-02-16 08:53:21 +08:00			`= Saml 2.0 Metadata`

			Spring Security can <<parsing-asserting-party-metadata,parse asserting party metadata>> to produce an `AssertingPartyDetails` instance as well as <<publishing-relying-party-metadata,publish relying party metadata>> from a `RelyingPartyRegistration` instance.

			`[[parsing-asserting-party-metadata]]`
			== Parsing `<saml2:IDPSSODescriptor>` metadata

			You can parse an asserting party's metadata xref:servlet/saml2/login/overview.adoc#servlet-saml2login-relyingpartyregistrationrepository[using `RelyingPartyRegistrations`].

			When using the OpenSAML vendor support, the resulting `AssertingPartyDetails` will be of type `OpenSamlAssertingPartyDetails`.
			`This means you'll be able to do get the underlying OpenSAML XMLObject by doing the following:`

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`OpenSamlAssertingPartyDetails details = (OpenSamlAssertingPartyDetails)`
			`registration.getAssertingPartyDetails();`
			`EntityDescriptor openSamlEntityDescriptor = details.getEntityDescriptor();`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`val details: OpenSamlAssertingPartyDetails =`
			`registration.getAssertingPartyDetails() as OpenSamlAssertingPartyDetails;`
			`val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor();`
			`----`
			`====`

			`[[publishing-relying-party-metadata]]`
			== Producing `<saml2:SPSSODescriptor>` Metadata
Separate SAML Docs Issue gh-10367 2021-10-30 01:29:35 +08:00
			You can publish a metadata endpoint by adding the `Saml2MetadataFilter` to the filter chain, as you'll see below:

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =`
			`new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);`
			`Saml2MetadataFilter filter = new Saml2MetadataFilter(`
			`relyingPartyRegistrationResolver,`
			`new OpenSamlMetadataResolver());`

			`http`
			`// ...`
			`.saml2Login(withDefaults())`
			`.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`val relyingPartyRegistrationResolver: Converter<HttpServletRequest, RelyingPartyRegistration> =`
			`DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)`
			`val filter = Saml2MetadataFilter(`
			`relyingPartyRegistrationResolver,`
			`OpenSamlMetadataResolver()`
			`)`

			`http {`
			`//...`
			`saml2Login { }`
			`addFilterBefore<Saml2WebSsoAuthenticationFilter>(filter)`
			`}`
			`----`
			`====`

			`You can use this metadata endpoint to register your relying party with your asserting party.`
			`This is often as simple as finding the correct form field to supply the metadata endpoint.`

			By default, the metadata endpoint is `+/saml2/service-provider-metadata/{registrationId}+`.
			You can change this by calling the `setRequestMatcher` method on the filter:

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"));`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"))`
			`----`
			`====`

			Or, if you have registered a custom relying party registration resolver in the constructor, then you can specify a path without a `registrationId` hint, like so:

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata", "GET"))`
			`----`
			`====`