Spring Security SAML2 AuthnResponse custom type values are not mapped to Saml2AuthenticatedPrincipal

My current authentication is working and i get values in my DefaultSaml2AuthenticationProvider but somehow i cant find these values.:

        <saml2:AttributeValue xmlns:example="http://www.example.de/schema/something/saml/extensions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="example:CustomType">
          <example:name>Springy</example:name>
        </saml2:AttributeValue>

Comment From: jzheaux

Thanks for the report, @leneinz.

I think I'll need more information to help you get to the root of the problem. Would you please share a minimal sample that reproduces the issue? It would be helpful if the minimal sample included a sample SAML response that's not working as expected.

Comment From: leneinz

Hi , i had to ask the legal team before i made this response public, sorry for the delay.: I changed the names and URIs a bit..

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://example.com/something/sso/acs" ID="_123123123123132"
InResponseTo="_456456456465456" IssueInstant="2021-04-29T12:30:48.721Z"
Version="2.0">
  <saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://id.example.com</
saml2:Issuer>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_a957ef3c9ef293e3ad8a09a012c913a6bc63db74"
IssueInstant="2021-04-29T12:30:48.719Z" Version="2.0">
    <saml2:Issuer>https://id.example.com</saml2:Issuer>
    <saml2:Subject>
      <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">ab-abcdefc4564
56878978945456</saml2:NameID>
      <saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData
InResponseTo="_025da7c63e568afbed6277b6b8a5e08a82c6d99f"
NotOnOrAfter="2021-04-29T12:35:48.721Z"
Recipient="https:/example.com/something/sso/acs"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotOnOrAfter="2021-04-29T12:35:48.719Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>urn:com:example:demo</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2021-04-29T12:30:48.719Z">
      <saml2:AuthnContext>

<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</sam
l2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
      <saml2:Attribute Name="Address">
        <saml2:AttributeValue
xmlns:myType="http://www.example.com/schema/myType/saml/extensions"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="myType:AdresseType">
          <myType:Street>Some Nice Street</myType:Street>
          <myType:Number>6</myType:Number>
          <myType:ZIP>12354</myType:ZIP>
          <myType:City>Nicetown</myType:City>
          <myType:Country>DE</myType:Country>
        </saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>

Comment From: jzheaux

When it comes to processing custom types, OpenSAML recommends a custom unmarshaller.

But, OpenSaml4AuthenticationProvider ignores custom types in getXmlObjectValue. I think it makes sense to change getXmlObjectValue to return xmlObject instead of null so that it doesn't ignore custom types.

Are you able to submit a PR to change that and then add a test that uses a custom unmarshaller?

In the meantime, you can parse custom attributes yourself by using a custom authentication converter like so:

OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
Converter<ResponseToken, Saml2Authentication> authenticationConverter =
        createDefaultResponseAuthenticationConverter();
provider.setResponseAuthenticationConverter((responseToken) -> {
    Saml2Authentication authentication = authenticationConverter.convert(responseToken);
    Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
    Map<String, List<Object>> attributes = new LinkedHashMap<>(principal.getAttributes());
    attributes.put("Address", parseAddressFromResponse(response));
    principal = new DefaultSaml2AuthenticatedPrincipal(authentication.getName(), 
            attributes);
    return new Saml2Authentication(principal, authentication.getSaml2Response(), 
            authentication.getAuthorities());
});

Comment From: igorpele

Hi I would like to have a look at this issue. Thanks. Cheers

Comment From: jzheaux

Thanks, @igorpele, it's yours.