Expected Behavior
I want to be able to change all SAML2 URLs to be able to e.g. add a prefix.
Current Behavior
Some URLs are customizable, like Saml2LoginConfigurer.loginProcessingUrl.
While some are not, e.g. Saml2LoginConfigurer.AuthenticationRequestEndpointConfig.filterProcessingUrl (/saml2/authenticate/{registrationId}).
Context
A workaround for adding a path prefix is using the server.servlet.context-path.
But this doesn't work if you want to tweak URLs to be similar to an already existing solution created with the old SAML module.
Although assuming you want /auth as a prefix, and after login you want to redirect to the root / and not /auth/,
you cannot use the default success handler. You need to create a custom one with a redirect strategy which is not context relative.
Comment From: jzheaux
@JoakimLofgren I think it makes sense to simplify configuring the URL for creating an AuthnRequest.
If we follow the pattern established in OAuth2LoginConfigurer, I think most decisions will be fairly straightforward. For example, it would be nice to do:
http
.saml2Login(saml2 -> saml2
.authenticationRequestEndpoint(authn -> authn
.baseUri(myCustomUri)
)
);
Then that would be quite similar to:
http
.oauth2Login(oauth2 -> oauth2
.authorizationEndpoint(authz -> authz
.baseUri(myCustomUri)
)
);
Would you be able to submit a PR along those lines to enhance the DSL? It would also be quite nice to update the Kotlin DSL while you are at it.
Comment From: JoakimLofgren
Sure. After https://github.com/spring-projects/spring-security/issues/8864 is finished.
Comment From: jzheaux
After a bit more experimentation with it, I think the following is easier to read:
http
.saml2Login(saml2 -> saml2
.loginProcessingUrl("/saml2/response/{registrationId}")
.authenticationRequestUri("/saml2/request/{registrationId}")
);
I like it because it has less hierarchy.
Comment From: jzheaux
@JoakimLofgren are you still able to contribute a PR to add support for configuring the Saml2WebSsoAuthenticationRequestFilter URI?
Comment From: chelseakohli
Hey, I am kind of stuck on being not able to change default entityId & replyUrl in AuthRequest. My SP is running on http, so the urls for entityId & replyUrl are being generated for http. But by making some firewall changes, publicly website access is only by https. So basically I want the urls in AuthRequest to be https.
Comment From: jzheaux
@chelseakohli, this would probably be better as a StackOverflow question, so please consider posting there if my answer here doesn't address your question and also update your comment with the StackOverflow link.
You can customize the AuthnRequest by configuring the OpenSamlAuthenticationRequestFactory:
@Bean
Saml2AuthenticationRequestFactory authenticationRequestFactory() {
OpenSamlAuthenticationRequestFactory factory =
new OpenSamlAuthenticationRequestFactory();
factory.setAuthenticationRequestContextConverter((context) -> {
// construct the AuthnRequest
});
}
Comment From: fr2lancer
Hi.
Is any updates on this? Seems like the suggestions above hasn't been applied to 5.6.0-RC yet..
Any workaround on this ?(e.g. using withObjectPostProcessor ?)
Thank you.
Comment From: denis111
@fr2lancer I had to use reflection and ObjectPostProcessor for workaround inside configure(http) method:
Field parent = ReflectionUtils.findField(saml.getClass(), "authenticationRequestEndpoint");
parent.setAccessible(true);
Field child = ReflectionUtils.findField(parent.getType(), "filterProcessingUrl");
child.setAccessible(true);
ReflectionUtils.setField(child, ReflectionUtils.getField(parent, saml),
SAML_PATH + "/login");
parent.setAccessible(false);
child.setAccessible(false);
saml.addObjectPostProcessor(
new ObjectPostProcessor<Saml2WebSsoAuthenticationRequestFilter>() {
@Override
public <O extends Saml2WebSsoAuthenticationRequestFilter> O postProcess(O object) {
object.setRedirectMatcher(new AntPathRequestMatcher(SAML_PATH + "/login"));
return object;
}
});
Comment From: denis111
Could we also have this fields customizable?
private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
Because we want to make logout requests by ajax post and JS can't control 302 redirects.
Comment From: jzheaux
@denis111 please log a separate issue regarding customizing the redirect strategy.
Comment From: bramhaag
Any progress?
Comment From: jzheaux
While some are not, e.g. Saml2LoginConfigurer.AuthenticationRequestEndpointConfig.filterProcessingUrl (/saml2/authenticate/{registrationId})
@JoakimLofgren, I've created #10840 to specifically address the authentication request URI. Are there any other endpoints that you would like to see addressed? If not, I'll close this issue in favor of #10840.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: JoakimLofgren
Sounds good. 👍