Expected Behavior As a service provider, it would be great if we could override the following parameter in a SAMLRequest

  • ForceAuthn
  • IsPassive

Current Behavior Currently, we are having the default values configured which is

Context As a service provider, we want to enforce the user is always prompted for authentication while access some sensitive service so we would like to set the following values.

= urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport ForceAuthn =true

Comment From: jzheaux

If these values are the same all the time, then the easiest way is to register your own custom AuthnRequestMarshaller with OpenSAML.

Or, if the value needs to be changed on a per-request basis, you can register your own Saml2AuthenticationRequestContextResolver.

Will either of those work in your case?

Comment From: ghost

Awesome that would work for me. Maybe in the future if there are multiple requests we could expose it as a property that can be configured?

Comment From: jzheaux

Yes, @adi-devops, that's a good point. ForceAuthn and AuthnContextClassRef have been requested a few times now.

Could you elaborate on what you mean by "expose it as a property"? I'm not sure it's common enough for a Boot property, but I could imagine a scenario where adding properties to Saml2AuthenticationRequestContext could be helpful.

Comment From: ghost

My bad I did not know Saml2RelyingPartyProperties was part of the boot property. I am not very familiar with the codebase, I think that would be a good location to set the property as it's used while creating the Saml2AuthenticationRequestFactory.If you could please refer me to a similar config I could try creating a PR :slightly_smiling_face:

Comment From: jzheaux

No problem, @adi-devops. You are correct that adding something to Saml2RelyingPartyProperties would mean adding a Boot property. In that case, you'd want to file a ticket with the Boot team; however, I'm thinking that these settings are not common enough to expose in that way.

What I think could be done is to add these properties to Saml2AuthenticationRequestContext. Then, applications could set them in a custom Saml2AuthenticationRequestContextResolver like so:

@Bean 
public Saml2AuthenticationRequestContextResolver 
        authenticationRequestContextResolver(RelyingPartyRegistrationRepository relyingParties) {

        DefaultRelyingPartyRegistrationResolver resolver = 
                new DefaultRelyingPartyRegistrationResolver(relyingParties);
        return (request) -> Optional.of(request).map(this.resolver::resolve)
                .map((relyingParty) -> Saml2AuthenticationRequestContext.builder().relyingParty(relyingParty)
                        .forceAuthn(true)
                        // etc
                ).orElse(null);
}

I like that since it reduces a three-step process to a one-step process for these more common settings.

Would you be able to contribute a PR that adds these properties to Saml2AuthenticationRequestContext and then also to OpenSamlAuthenticationRequestFactory to read them?

Comment From: ghost

Absolutely can I give it a try? If I have any doubts can we use this same issue thread to discuss the implementation too?

Comment From: jzheaux

Sounds great, @adi-devops.

Comment From: ghost

@jzheaux I have created an initial PR by adding new properties in Saml2AuthenticationRequestContext and reading them in OpenSamlAuthenticationRequestFactory can you please review it? Do we need to update DefaultSaml2AuthenticationRequestContextResolver#L70 and set these parameters as default false?

Comment From: jzheaux

Good question, @adi-devops. Since the defaults are passive, I believe that DeafultSaml2AuthenticationRequestContextResolver can stay as it is.

Comment From: amergey

Also ability to set the NameIDPolicy format would be great and useful. By experience with AuthnContextClassRef, this is something that we are used to configure to be able to connect to various saml idp.

Comment From: jzheaux

Thanks for the feedback, @amergey. I believe that could be inferred from metadata, so I think a good start would be to add it to RelyingPartyRegistration.

If you agree, would you add some detail to that ticket (#9115) and indicate whether you are able to contribute a PR?

Comment From: kavi87

BTW, the example at https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-saml2login-opensaml-customization does not even compile and doesn't show how to actually register the custom AuthnRequestMarshaller (I guess through the factory param that is not used).

Comment From: kavi87

Also, while the converter is useful, I think that what most people will want is a hook into the default AuthnRequest before it is sent, in order to override parameters, instead of having to recreate an entire request from the saml context.

Comment From: phuongnq

Hi, is there a way to override these parameters while using an XML-based configuration?