It would be nice for users to know exactly which version of opensaml classes to use. A check could be performed in order to ensure that the correct version of opensaml is being used in the current OpenSamlX implementation.

One option would be to add the check inside the OpenSamlX constructors.

See: - https://github.com/spring-projects/spring-security/issues/10547

Comment From: igorpele

Hi, I would like to try this. As far as I could see there is already a version check in the Saml2LoginConfigurer and Saml2LogoutConfigurer. Additionally it should be checked in the according OpenSaml4LoginRequestResolver or OpenSaml4LoginRequestResolver (and all the other OpenSaml3... and OpenSaml4... classes) whether the correct version of opensaml is in the classpath?

Comment From: marcusdacoregio

Hi @igorpele, thanks for the interest. The ticket is yours.

Yes, I can think of creating a util class to retrieve the version, like it's being done in Saml2LoginConfigurer and Saml2LogoutConfigurer.

And inside of each of those constructors, you should verify if the version starts with 3 or 4. And for the SAML 2.0 Logout classes, the minimum version should be 4.1 as per https://github.com/spring-projects/spring-security/issues/10547#issuecomment-982394169.

Please, feel free to keep discussing if it's not crystal clear yet.

Comment From: igorpele

Hi @marcusdacoregio, thanks for the hints. Is SAML2 SSO supported with OpenSAML version 4.0.1 as it throws an Exception in the OpenSaml4AuthenticationProvider as already mentioned in #10547? The OpenSaml4LogoutRequestResolver and OpenSaml4LogoutResponseResolver will after this change only work with versions >= 4.1.0, but should this also be true for the OpenSaml4AuthenticationProvider?

Comment From: marcusdacoregio

Is SAML2 SSO supported with OpenSAML version 4.0.1 as it throws an Exception in the OpenSaml4AuthenticationProvider as already mentioned in #10547?

I think we have to check if SSO is working with version 4.0.1, if not the minimum version should be 4.1.x then.

The OpenSaml4LogoutRequestResolver and OpenSaml4LogoutResponseResolver will after this change only work with versions >= 4.1.0, but should this also be true for the OpenSaml4AuthenticationProvider?

Nice question, I think we can force the minimum version for all OpenSaml4 classes to be 4.1.x to keep consistency and avoid having multiple minor versions around. I'd like to see if @jzheaux has some input on this as well.

Comment From: igorpele

Hi @marcusdacoregio I created a first shot of the discussed solution. It assumes that the OpenSAML 4 version has to be higher or equal to 4.1.0 for both the OpenSaml4AuthenticationProvider and the OpenSaml4LogoutRequestResolver. Any hints are welcome. Thx. Cheers

Comment From: teavirdis

hi @marcusdacoregio , maybe you have information when opensaml 4.1.1 will be available on maven central? Or if it is planned at all? Thanky in advance!

Comment From: marcusdacoregio

Hi @teavirdis.

For now, they are not planning to deploy the artifacts to Maven Central as you can see here.

Comment From: marcusdacoregio

https://github.com/spring-projects/spring-security/pull/10693#issuecomment-1246913561