spring-security/docs/modules/ROOT/pages/servlet/saml2/metadata.adoc

[[servlet-saml2login-metadata]]
= Producing `<saml2:SPSSODescriptor>` Metadata

You can publish a metadata endpoint by adding the `Saml2MetadataFilter` to the filter chain, as you'll see below:

====
.Java
[source,java,role="primary"]
----
DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
        new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(
        relyingPartyRegistrationResolver,
        new OpenSamlMetadataResolver());

http
    // ...
    .saml2Login(withDefaults())
    .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
----

.Kotlin
[source,kotlin,role="secondary"]
----
val relyingPartyRegistrationResolver: Converter<HttpServletRequest, RelyingPartyRegistration> =
    DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)
val filter = Saml2MetadataFilter(
    relyingPartyRegistrationResolver,
    OpenSamlMetadataResolver()
)

http {
    //...
    saml2Login { }
    addFilterBefore<Saml2WebSsoAuthenticationFilter>(filter)
}
----
====

You can use this metadata endpoint to register your relying party with your asserting party.
This is often as simple as finding the correct form field to supply the metadata endpoint.

By default, the metadata endpoint is `+/saml2/service-provider-metadata/{registrationId}+`.
You can change this by calling the `setRequestMatcher` method on the filter:

====
.Java
[source,java,role="primary"]
----
filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"));
----

.Kotlin
[source,kotlin,role="secondary"]
----
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"))
----
====

Or, if you have registered a custom relying party registration resolver in the constructor, then you can specify a path without a `registrationId` hint, like so:

====
.Java
[source,java,role="primary"]
----
filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));
----

.Kotlin
[source,kotlin,role="secondary"]
----
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata", "GET"))
----
====

== Changing the Way a `RelyingPartyRegistration` Is Looked Up

To apply a custom `RelyingPartyRegistrationResolver` to the metadata endpoint, you can provide it directly in the filter constructor like so:

====
.Java
[source,java,role="primary"]
----
RelyingPartyRegistrationResolver myRegistrationResolver = ...;
Saml2MetadataFilter metadata = new Saml2MetadataFilter(myRegistrationResolver, new OpenSamlMetadataResolver());

// ...

http.addFilterBefore(metadata, BasicAuthenticationFilter.class);
----

.Kotlin
----
val myRegistrationResolver: RelyingPartyRegistrationResolver = ...;
val metadata = new Saml2MetadataFilter(myRegistrationResolver, OpenSamlMetadataResolver());

// ...

http.addFilterBefore(metadata, BasicAuthenticationFilter::class.java);
----
====

In the event that you are applying a `RelyingPartyRegistrationResolver` to remove the `registrationId` from the URI, you must also change the URI in the filter like so:

====
.Java
[source,java,role="primary"]
----
metadata.setRequestMatcher("/saml2/metadata")
----

.Kotlin
----
metadata.setRequestMatcher("/saml2/metadata")
----
====
Separate SAML Docs Issue gh-10367 2021-10-30 01:29:35 +08:00			`[[servlet-saml2login-metadata]]`
			= Producing `<saml2:SPSSODescriptor>` Metadata

			You can publish a metadata endpoint by adding the `Saml2MetadataFilter` to the filter chain, as you'll see below:

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =`
			`new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);`
			`Saml2MetadataFilter filter = new Saml2MetadataFilter(`
			`relyingPartyRegistrationResolver,`
			`new OpenSamlMetadataResolver());`

			`http`
			`// ...`
			`.saml2Login(withDefaults())`
			`.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`val relyingPartyRegistrationResolver: Converter<HttpServletRequest, RelyingPartyRegistration> =`
			`DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)`
			`val filter = Saml2MetadataFilter(`
			`relyingPartyRegistrationResolver,`
			`OpenSamlMetadataResolver()`
			`)`

			`http {`
			`//...`
			`saml2Login { }`
			`addFilterBefore<Saml2WebSsoAuthenticationFilter>(filter)`
			`}`
			`----`
			`====`

			`You can use this metadata endpoint to register your relying party with your asserting party.`
			`This is often as simple as finding the correct form field to supply the metadata endpoint.`

			By default, the metadata endpoint is `+/saml2/service-provider-metadata/{registrationId}+`.
			You can change this by calling the `setRequestMatcher` method on the filter:

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"));`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"))`
			`----`
			`====`

			Or, if you have registered a custom relying party registration resolver in the constructor, then you can specify a path without a `registrationId` hint, like so:

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata", "GET"))`
			`----`
			`====`
Document Federation Usecase Closes gh-12764 2023-03-01 03:35:04 +08:00
			== Changing the Way a `RelyingPartyRegistration` Is Looked Up

			To apply a custom `RelyingPartyRegistrationResolver` to the metadata endpoint, you can provide it directly in the filter constructor like so:

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`RelyingPartyRegistrationResolver myRegistrationResolver = ...;`
			`Saml2MetadataFilter metadata = new Saml2MetadataFilter(myRegistrationResolver, new OpenSamlMetadataResolver());`

			`// ...`

			`http.addFilterBefore(metadata, BasicAuthenticationFilter.class);`
			`----`

			`.Kotlin`
			`----`
			`val myRegistrationResolver: RelyingPartyRegistrationResolver = ...;`
			`val metadata = new Saml2MetadataFilter(myRegistrationResolver, OpenSamlMetadataResolver());`

			`// ...`

			`http.addFilterBefore(metadata, BasicAuthenticationFilter::class.java);`
			`----`
			`====`

			In the event that you are applying a `RelyingPartyRegistrationResolver` to remove the `registrationId` from the URI, you must also change the URI in the filter like so:

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`metadata.setRequestMatcher("/saml2/metadata")`
			`----`

			`.Kotlin`
			`----`
			`metadata.setRequestMatcher("/saml2/metadata")`
			`----`
			`====`