I saw the new approach to the SAML Service Provider configuration in Spring. I admit that the new Saml2AuthenticationRequestResolver makes configuration simpler. In any case sometimes we need to create our SAML AuthnRequest and not just customize it
For Example in Italy the SPID SAML specification doesn't allow the passive attribute in the SAML AuthnRequest and claims a custom namespace
Is there a way to be independent in creating the SAML AuthnRequest inside the Saml2AuthenticationRequestResolver?
If it's not possible, I think it would be useful to add this feature
Comment From: marcusdacoregio
Hi, @angeloimm.
In order to have total control of the AuthnRequest instance, you should have your own implementation of Saml2AuthenticationRequestResolver instead of delegating it to OpenSaml4AuthenticationRequestResolver. The OpenSaml4AuthenticationRequestResolver uses the OpenSamlAuthenticationRequestResolver to create the instance and just customizes it after the creation. I'll page @jzheaux to check if he is aware of another way to do that or if there is some discussion going on already.
Comment From: angeloimm
Hi, @marcusdacoregio
I was thinking about it... but I wanted to avoid it :)
I wanted to avoid it because I can't use SAMLUtils class and so on... Basically OpenSaml4AuthenticationRequestResolver is very good and I do really like the new approach... It would be great is OpenSaml4AuthenticationRequestResolver allows to us the total control of the AuthnRequest
Comment From: marcusdacoregio
Were you not able to change the passive attribute and add a custom namespace using the customizer? I believe you can do something like:
@Bean
Saml2AuthenticationRequestResolver authenticationRequestResolver(
RelyingPartyRegistrationRepository registrations) {
RelyingPartyRegistrationResolver registrationResolver = new DefaultRelyingPartyRegistrationResolver(
registrations);
OpenSaml4AuthenticationRequestResolver delegate = new OpenSaml4AuthenticationRequestResolver(
registrationResolver);
delegate.setAuthnRequestCustomizer((parameters) -> {
parameters.getAuthnRequest().setIsPassive(false);
parameters.getAuthnRequest().getNamespaceManager()...
});
return delegate;
}
Comment From: angeloimm
Hi @marcusdacoregio Sure I can change the passive attribute but in my case I need to delete it... in my AuthnRequest this attribute must not be present And sure I can add custom namespaces What I think is IMHO that sometimes it's useful to have the total control of AuthRequest without providing custom implementation of Saml2AuthenticationRequestResolver After all I think that in 99% of use cases what developers want is not only to be able in customizing the AuthnRequest (thing already possible) but also to be able in creating by themselves the AuthnRequest
At least this is what I had in my last experiences with Italian SPID and CIE SAML based specification
Angelo
Comment From: marcusdacoregio
You can remove the attributes as well. In this case, you should do the following:
parameters.getAuthnRequest().setIsPassive((XSBooleanValue) null);
Comment From: angeloimm
I didn't try it... I'll try and I'll let you know
Comment From: angeloimm
Hi @marcusdacoregio My bad! I didn't try the simplest solution ever 😢😢🤣😂
I confirm that it's all perfectly working I'm still doing some tests but it's working and I really love the new approach... it's much much much simpler
Comment From: marcusdacoregio
Great! I'll close this as solved then.