Spring Security Changing OpenSamlAuthenticationProvider for OpenSaml4AuthenticationProvider results in exception

At SAML2 login, changing:

http
    .saml2Login()
    .authenticationManager(
        ProviderManager(
            OpenSamlAuthenticationProvider()
        )
    )

for

http
    .saml2Login()
    .authenticationManager(
        ProviderManager(
            OpenSaml4AuthenticationProvider()
        )
    )

exchanges a fully functional SAML2 login for the following exception:

java.lang.NoSuchMethodError: org.opensaml.saml.saml2.assertion.SAML20AssertionValidator.<init>(Ljava/util/Collection;Ljava/util/Collection;Ljava/util/Collection;Lorg/opensaml/saml/saml2/assertion/AssertionValidator;Lorg/opensaml/xmlsec/signature/support/SignatureTrustEngine;Lorg/opensaml/xmlsec/signature/support/SignaturePrevalidator;)V at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider$SAML20AssertionValidators$3.<init>(OpenSaml4AuthenticationProvider.java:694) ~[spring-security-saml2-service-provider-5.5.0.jar:5.5.0] at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider$SAML20AssertionValidators.<clinit>(OpenSaml4AuthenticationProvider.java:693) ~[spring-security-saml2-service-provider-5.5.0.jar:5.5.0] at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.lambda$createDefaultAssertionSignatureValidator$8(OpenSaml4AuthenticationProvider.java:537) ~[spring-security-saml2-service-provider-5.5.0.jar:5.5.0] at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.lambda$createAssertionValidator$11(OpenSaml4AuthenticationProvider.java:619) ~[spring-security-saml2-service-provider-5.5.0.jar:5.5.0] at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.process(OpenSaml4AuthenticationProvider.java:427) ~[spring-security-saml2-service-provider-5.5.0.jar:5.5.0] ...

The error makes sense as the attempted constructor does not exist on SAML20AssertionValidator as seen here: https://javadoc.io/static/org.opensaml/opensaml-saml-api/3.3.0/org/opensaml/saml/saml2/assertion/SAML20AssertionValidator.html

Is there something else that needs to be changed except merely changing the provider?

SAML2 is configured with the following setup:

spring.security.saml2.relyingparty.registration.okta.identityprovider.verification.credentials[0].certificate-location=XXX
spring.security.saml2.relyingparty.registration.okta.identityprovider.entity-id=XXX 
spring.security.saml2.relyingparty.registration.okta.identityprovider.singlesignon.url=XXX 
spring.security.saml2.relyingparty.registration.okta.identityprovider.singlesignon.sign-request=XXX

Included dependencies (among others):

implementation("org.springframework.boot:spring-boot-starter-security")
implementation("org.springframework.security:spring-security-saml2-service-provider")

Expected behavior Same behaviour as prior to change

Comment From: jzheaux

Hi, @fast-reflexes, thanks for the report.

You need to specify OpenSAML 4 in your dependencies to use OpenSaml4XXX classes. Spring Security uses OpenSAML 3 by default for backward compatibility.

Note that in the future, Stack Overflow is our preferred forum for questions. If the above answer doesn't address your question, please consider asking at StackOverflow and posting a link to the question here.