Spring Security SAML 2.0 Login should allow loginProcessingUrl without {registrationId} when providing an AuthenticationConverter

https://github.com/spring-projects/spring-security/blob/662ab1041647d516c9cb047f123ead05d4ee3d2f/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java#L181

Since we are allowed to use a custom assertionConsumerLocation when registering a relying party, I do not understand why the loginProcessingUrl should contain the {registrationId}?

Comment From: marcusdacoregio

Hi @sathishkumar294, thanks for reaching out.

The registrationId is an arbitrary value that you choose for differentiating between registrations. There could be many different RelyingPartyRegistrations and each one will be identified by the registrationId.

When the request comes in, we already know which registration it is referring to since we have the variable in the URL.

I am closing this but feel free to continue the discussion.

Comment From: sathishkumar294

HI @marcusdacoregio thanks for your explanation. I agree with your answer considering how it will be really beneficial to new software solutions. I am in the process of migrating an existing tool written in 2014 to latest version of spring security. Since the URLs related to login/assertion are already in use by several users for years now, we wanted to retain the same URLs in the new application so that the experience would look seamless for the users. Since the registrationId is mandatory in the login processing url, I am not able to re-use the previous login URL. I would suggest the need to use spring-security's conventions for URLs to my business team and try to convince them it is necessary for our future.

Thanks.

Comment From: marcusdacoregio

Hi @sathishkumar294.

I was talking with the team, and the filterProcessingUrl should not be required to contain the {registrationId} when you provide an AuthenticationConverter to resolve the RelyingPartyRegistration.

Do you mind if I change the title of this issue to SAML 2.0 Login should allow filterProcessingUrl without {registrationId} when providing an AuthenticationConverter?

Comment From: marcusdacoregio

As a workaround, you can use the ObjectPostProcessor to set the filterProcessingUrl in Saml2WebSsoAuthenticationFilter.

http
    .csrf((csrf) -> csrf.ignoringRequestMatchers(new AntPathRequestMatcher("/login/saml2/sso"))) // If using POST-binding
    .saml2Login((saml2) -> saml2
        .authenticationConverter(myAuthenticationConverter)
        .withObjectPostProcessor(new ObjectPostProcessor<Saml2WebSsoAuthenticationFilter>() {
            @Override
        public<O extends Saml2WebSsoAuthenticationFilter> O postProcess(O object) {
            object.setFilterProcessesUrl("/login/saml2/sso");
                return object;
        }
        })
)

Remember that you have to provide the AuthenticationConverter since the default implementation relies on the registrationId to be present in the URL.

Comment From: sathishkumar294

Thanks, I will try this recommendation and update here.

Comment From: spring-projects-issues

Fixed via 816e847af2bfa8785698295c2333dbec467dd6ee