The protocol states that the Subject is optional.
<element name="Assertion" type="saml:AssertionType"/>
<complexType name="AssertionType">
<sequence>
<element ref="saml:Issuer"/>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="saml:Subject" minOccurs="0"/>
But there is always a check for the existence of a NameID !hasName(firstAssertion) and I get the error if there is no Subject.
org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider#process
org.springframework.security.saml2.core.Saml2ErrorCodes#SUBJECT_NOT_FOUND
Is it possible to implement disabling the check for the presence of a NameID?
Comment From: jzheaux
Thanks for the suggestion, @EgorBratuhin. Without a subject, I'm not sure what would be used for the principal.
If Subject weren't required, how would you expect the resulting Saml2AuthenticatedPrincipal to look?
Comment From: EgorBratuhin
We get the username from adfs in the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn attribute and had to find a workaround to do it.
Comment From: jzheaux
Makes sense. As a temporary workaround, are you able to have adfs map the identity claim to the Subject element?
Would you like to submit a PR that moves the subject check from the process method to the default response authentication converter? I think this change makes sense because the default response authentication converter is what needs the non-null subject.
Then, in your application you can supply a custom response authentication converter.
Comment From: jzheaux
If you do want to do a PR, let's base it off of the 5.8.x branch.
Comment From: jzheaux
With additional context from https://github.com/spring-projects/spring-security/issues/12128 and https://github.com/spring-projects/spring-security/issues/12136, I believe what's needed is to make it so that principal extraction can be customized.
As #12136's description is the closest already to this, I'm going to close this as a duplicate and we can continue the conversation over there.