Spring Security SAML2 Assertion: Support to map additional user attributes

Summary

With the current implementation - in Spring Security 5.2.1 - it works very well to map external roles / authorities to internal authorities (using a custom AuthoritiesExtractor).

For all other user data (e.g. mail, country ...), which are also sent within the assertion, there is currently no possibility to read out the data.

It would be nice if we had something similar to the LDAP org.springframework.security.ldap.userdetails.UserDetailsContextMapper interface.

Version

5.2.1.RELEASE

Comment From: fhanik

Thank you for the report

Linking with: https://github.com/spring-projects/spring-security/issues/7465 as there are a few issues around extracting user data from an assertion

Comment From: blucas

@fhanik can you expand on the issues extracting user data?

I have an urgent need to extract user data, and for the time being the only workaround I can think of is to use the AuthoritiesExtractor/Mapper to not only fetch the groups/roles the user belongs to but also the other data as well, such as first/last name.

If there is anything I can do to help, please let me know.

Comment From: fhanik

@blucas Hi Brendth, I sure will. I'll reply shortly

Comment From: jzheaux

Work is underway on this via https://github.com/spring-projects/spring-security/issues/8661. As such, I'll close this as a duplicate. I'd invite those interested to comment on that ticket going forward.