Currently we use spring-security-saml in an open-source OIDC-SAML proxy. As the spring-security-saml project is in maintenance mode we would like to migrate and use the spring-security-saml2-service-provider module in spring-security.
With spring-security-saml we have hooks to enhance the AuthnRequest send to the IdP. We have the requirement to - depending on the original http request - set the following properties on the AuthnRequest:
- ForceAuth
- Scoping
- AuthenticationContextClassReferences
Is this possible with the new support for SAML2 in spring-security? I have read the https://docs.spring.io/spring-security/site/docs/5.3.x/reference/html5/#servlet-saml2 documentation which suggests to use a custom implementation of Saml2AuthenticationRequestFactory together with delegation. However is seems that this will only provide hooks to alter the issuer, assertionConsumerServiceUrl and relayState.
For our use-case I would like to have the possibility to override the current private method OpenSamlAuthenticationRequestFactory#createAuthnRequest so we can do something like:
@Override
protected AuthnRequest createAuthnRequest(String issuer, String destination, String assertionConsumerServiceUrl) {
AuthnRequest authnRequest = super.createAuthnRequest(issuer, destination, assertionConsumerServiceUrl);
// Enhance the authn request
return authnRequest;
}
I'm more then willing to write a PR, but before I do I would like to know if this is the correct direction to go.
Comment From: jzheaux
Hi, @oharsta, thanks for reaching out!
Support for customizing the AuthnRequest was added in 5.4. You can use OpanSamlAuthenticationRequestFactory#setAuthenticationRequestContextConverter to supply a converter creates the AuthnRequest you need, though it may be easier to register a custom AuthnRequestMarshaller with OpenSAML.
I'm going to close this as answered, but please feel free to continue commenting if there's more to discuss.