Saml2RelyingPartyRegistrationConfiguration does not support setting of decryptionX509Credentials.

Via Java Config it is possible to set decryption credentials like this:

final RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
    .fromMetadataLocation("http://localhost:8081/auth/realms/DemoRealm/protocol/saml/descriptor")
    .registrationId("demo-saml-client")
    .entityId("demo-saml-client")
    .signingX509Credentials(c -> c.add(getSigningCredential()))
    .decryptionX509Credentials(c -> c.add(getDecryptionCredential()))
    .build();

Unfortunately this is not possible via Spring Boot application.properties.

Comment From: dawi

I have two more annotations:

  • It's also not posible to set the assertionConsumerServiceBinding.
  • Maybe relying-party-entity-id could be named entity-id. since the other relying party properties are also not prefixed and IDPs entity-id is also not named identity-provider-entity-id.

Comment From: wilkinsona

Thanks. We prefer to keep issues small and focussed if we can so I've opened #23745 and #23746 for those two.

Comment From: snicoll

Actually, we used to configure both signing and decryption with the existing configuration property but the use of credentials is deprecated in Spring Security 5.4 so no introducing the separate property seems to be an oversight.

See also https://github.com/spring-projects/spring-security/commit/56928f61f0f0dbba8dc5c7c6a99746abc39f8230

Comment From: snicoll

@dawi this will be available in 2.4.0-SNAPSHOT shortly. If you have time, I'd appreciate if you could give the snapshot a try. Thanks!

Comment From: dawi

@snicoll I could successfully authenticate against Keycloak with Encrypt Assertions enabled. :)

Comment From: snicoll

@dawi thanks for trying it out!