I migrated from spring security 5.7.2 to 6.0.0.
In 5.7.2, if I set nameIdFormat of RelyingPartyRegistration, it was added to the AuthnRequest in OpenSaml4AuthenticationRequestFactory.createAuthnRequest.
But in 6.0.0 nameIdFormat set in RelyingPartyRegistration is ignored and is not added to the AuthnRequest in OpenSamlAuthenticationRequestResolver.resolve.
I am setting nameIdFormat like this.
Builder builder = RelyingPartyRegistration.withRegistrationId(id);
...
builder.nameIdFormat(properties.getNameIdFormat());
RelyingPartyRegistration registration = builder.build();
What is the process now to add nameIdPolicy to the request?
Comment From: jzheaux
Hi, @Shabin. I think that setting the name id policy needs to be added to OpenSamlAuthenticationRequestResolver. Are you able to provide a PR that does that? If so, please include tests and also base it on 5.7.x since that is where the bug was first introduced.
In the meantime, you can customize the AuthnRequest like so:
@Bean
OpenSaml4AuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistrationRepository registrations) {
OpenSaml4AuthenticationRequestResolver authenticationRequestResolver =
new OpenSaml4AuthenticationRequestResolver(new DefaultRelyingPartyRegistrationResolver(registrations));
authenticationRequestResolver.setAuthnRequestCustomizer((context) -> {
RelyingPartyRegistration registration = context.getRelyingPartyRegistration();
AuthnRequest request = context.getAuthnRequest();
NameIDPolicy policy = // ...
policy.setFormat(registration.getNameIdFormat());
request.setNameIDPolicy(policy);
});
}
Comment From: tatisled
Hi, @jzheaux @Shabin
I would prefer to add nameIdPolicy to RelyingPartyRegistration.
I believe it has been already discused here https://github.com/spring-projects/spring-security/issues/9115
But while using nameIdFormat, the PR will fix the issue with ignoring it in AuthnRequest.