spring-security: RelyingPartyRegistrations should not fail when SPSSODescriptor elements are present

I am trying to migrate from the old SAML extension project to the new. on Spring 5.8.x (not boot).

It would be good if i could use RelyingPartyRegistrations.collectionFromMetadataLocation() could skip “SP” entries instead of throwing exceptions.

Right now I am getting org.springframework.security.saml2.Saml2Exception: Metadata response is missing the necessary IDPSSODescriptor element

Ideally there should be a flag to skip entities without IDPSSODescriptor. In this federation, there are SPSSODescriptor😒 mixed in the same metadata as the IdP:s in this case.

See https://fed.skolfederation.se/prod/md/skolfederation-3_1.xml (A Federation for school owners (IdP) ca 200+ and e-learning resources (SPs) in Sweden).

Since the classes are package private and final, it is hard to work around the issue at present.

The only possible workaround seems to be to copy classes…

Also, how does one parse and store the other metadata, that was read by the old implementation, such as “organisation.name” when RelyingPartyRegistration is final and there are no hooks in the code afaik. Couldn’t it be an interface instead? Or expose the XMLObject?

I have a dropdown list to select the IdP by OrgName in my implementation today, that’s using the old project.

I’m unable to find a migration guide, and the docs are pretty sparse.

Thanks.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 19 (6 by maintainers)

Commits related to this issue

Most upvoted comments

Hi, @stnor, thanks for the detailed report.

Looks like there are a couple of things here.

  • Address SPSSODescriptor error handling
  • Add to SAML Metadata documentation for getting the underlying XMLObject (already supported, undocumented, though)

I’ve added https://github.com/spring-projects/spring-security/issues/12667 to address the second one. As for the first one, yes, I think that makes sense to add and am happy to use this ticket to address that.

I’m unable to find a migration guide

It is in our Wiki: https://github.com/spring-projects/spring-security/wiki/SAML-2.0-Migration-Guide - note that the main page didn’t have it in the bullet list, so I’ve added it there to make it easier to see.

+1
jzheaux on Feb 13, 2023
Read more comments on GitHub
← spring-security: ReactiveSecurityContextHolder.getContext() is broken when used with Mono.toFuture().
spring-security: SEC-2224: ActiveDirectoryLdapAuthenticationProvider throws BadCredentialsException if userPrincipalName not equal to sAMAccountName + @domain →