Spring Security Enhancement request - Spring Security to remove support for EOL OpenSAML 3

Hello Spring Security Team,

I just wanted to open this enhancement request. Please kindly consider it if you can.

Currently, per Spring Team comment, "Spring Security supports both OpenSAML 3 and 4".

This can be further confirmed if looking at the code base:

Evidence where Spring supports version 3: https://github.com/spring-projects/spring-security/blob/6ce6a1a55ea86b4607dad67fcf7cbda8d3b2b938/gradle.properties#L5

Evidence where Spring Security supports version 4: https://github.com/spring-projects/spring-security/blob/ce720ad38e99e3b27a318dba8f8f16befa4da176/saml2/saml2-service-provider/spring-security-saml2-service-provider.gradle#L53

However, OpenSAML 3 is known to have many vulnerabilities, and is EOL.

While I am having an internal question, why would Spring Security chose to support a version that is known to be EOL, I would like to propose this enhancement request.

Can Spring Security supports only OpenSAML 4, instead of supporting both versions please?

A removal of OpenSAML 3, which again, is EOL, would put Spring Security in a much better shape.

Thank you

Comment From: marcusdacoregio

Hi @patpatpat123, thank you for the report, it makes totally sense.

Since this breaks passivity we will remove the OpenSAML3 support in 6.0. There is already an issue created to track this effort https://github.com/spring-projects/spring-security/issues/10556.

I'm closing this as duplicate but feel free to reach out in the other issue.

Comment From: patpatpat123

Thank you for the answer @marcusdacoregio. Good day!