Spring Security Make OpenSAML Response available through authentication object

It would be nice to have an implementation of Saml2AuthenticatedPrincipal that includes the original Response instance. Because this is an OpenSAML class, it needs to be in an implementation prefixed by OpenSaml.

The principal should be the one used in OpenSaml4AuthenticationProvider when constructing the authentication to return.

Comment From: Enkosz

Hi @jzheaux! I could do it! Looking in the code we could simply make a new implementation of Saml2AuthenticatedPrincipal and make it configurable in the OpenSaml4AuthenticationProvider class. Should we include only the first Assertion like we do here or all the AssertionList from the ResponseToken?

Comment From: gertjanal

In our setup with the old plugin, we store the AuthnResponse as String and it is passed on to other services, where the assertions and issued date are validated with our custom OpenSAML code. Making the Response available would help a lot, but making the saml token available as String would help us even better. I know we could write the token from Response back to String, but that sounds slower than storing the received data itself...

Comment From: rwinch

It is important to be mindful of how large the objects that will be stored in session are. Authentication objects will be stored in session and the SAML Response can be quite large, so I don't think we want to save the SAML Response in the Authentication by default.

Comment From: jzheaux

@gertjanal, I'm not sure I understand completely yet. The string version of the response is already available in Saml2Authentication#getSaml2Response. You can get it in a controller by doing:

@GetMapping 
public String method(Saml2Authentication authentication) {
  // retrieve the response
}

because this is of type Authentication, then Spring MVC's RequestPrincipalArgumentResolver resolves it.

@rwinch, good point. I was not thinking about the fact that Saml2Authentication gets stored in the session when I submitted this idea. Given that, I don't think that we can place the OpenSAML Response object in the Authentication since it is not Serializable. As it is, folks can deserialize the string value if needed.