Spring Security Ability to easily read attribute values from SAML response

Expected Behavior I should be able to read attribute values after SAML response is parsed and validated without parsing it myself.

Current Behavior As far I can tell OpenSamlAuthenticationProvider parses and validates the response, and then throws away the Assertion object. What I'm left with is encrypted response string.

Context I want to show the user's first and last name on my website.

I could parse XML myself after successful login, but that doesn't seem very pretty.

I think that in the earlier iterations SecurityContextHolder.getContext().getAuthentication().getCredentials() returned SAMLCredential object with getAttribute methods.

Sorry if this is already possible, please tell me how it's supposed to be done in that case. If it's not possible, what nice workaround I could use?

I know that it's possible to extract roles using custom authorities extractor, but what about other attributes?

Comment From: jzheaux

@kostic017 thanks for reaching out; I think adding attributes to the Saml2AuthenticatedPrincipal would be a way to address this.

To add it, it'll be important to maintain Spring Security's independence from OpenSAML, meaning that the resulting authentication shouldn't have any OpenSAML-specific material in it.

One way this could work would be to have OpenSamlAuthenicationProvider iterate through all the attributes and convert them to their corresponding Java types. I think it would be reasonable to add a Map<String, Object> getAttributes() default method to Saml2AuthenticatedPrincipal in that case.

Does that sound like what you are looking for and would you be interested in submitting a PR to add it?

Comment From: ghost

That should do the job.

As you can probably tell, I've created a pull request... (force push to my branch, looks ugly here)

Comment From: fpagliar

Thanks so much for raising this issue!!! This is a big blocker for us.

Comment From: ghost

@fpagliar Here you can find a nice workaround until the fix gets released https://stackoverflow.com/q/62210172/10479742 https://stackoverflow.com/q/58400571/10479742 If your assertion is encrypted, you're gonna need to decrypt it yourself first.

Comment From: fpagliar

@kostic017 thank you! Yeah you can also use the AuthoritiesExtractor to intercept the selected valid decrypted assertion and store what you need. But it is horribly hacky.