Spring Security java.lang.NoSuchMethodError: 'void org.opensaml.saml.saml2.core.AuthnRequest.setIssueInstant(java.time.Instant)'

Hi,

I'm trying to use the RelayState to pass through a redirect URL after successful SAML authentication. We were still on version 5.7.3. I noticed there was an extra method introduced in 5.8.x setRelayStateResolver on the OpenSaml4AuthenticationRequestResolver class that does exactly what I need, but now I get an annoying error that seems to be a mismatch between spring security saml provider and the OpenSaml API.

Spring Security is passing an Instant while that method is expecting a org.joda.time.Datetime (despite what the name of the method implies). So that obviously doesn't work. I even wonder how the Spring Security SAML Provider project can compile. We are on JDK17, perhaps that's how this issue came up?

Is this a bug, or am I missing something? Seems like something more people should have been using in the past.. And if it's a bug, is it an option to patch it also in the 5.7.x, 5.8.x branches? We're not ready yet to upgrade to the 6.0.x releases.

https://github.com/spring-projects/spring-security/blob/31bac01e413d12fb3abec19e85e67db9f30f903c/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolver.java#L74

Comment From: willemsst

all I did to get this error, was defining the following @Bean

    @Bean
    Saml2AuthenticationRequestResolver authenticationRequestResolver(
            RelyingPartyRegistrationResolver registrations) {
        OpenSaml4AuthenticationRequestResolver authenticationRequests =
                new OpenSaml4AuthenticationRequestResolver(registrations);
        authenticationRequests.setRelayStateResolver(this::resolveCustomRelayState);
        return authenticationRequests;
    }

    private String resolveCustomRelayState(HttpServletRequest request) {
        return request.getRequestURL().toString();
    }

this behavior was introduced in https://github.com/spring-projects/spring-security/pull/11072 (and the code is a copy of the suggested solution in https://github.com/spring-projects/spring-security/issues/11065#issuecomment-1090767594)

Comment From: rwinch

It looks to me like you are trying to use the default OpenSaml 3 dependency with the OpenSaml4 implementation. OpenSaml 3 uses joda time and OpenSaml 4 starts to use Instant. Have you updated your dependencies to use OpenSaml 4.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: willemsst

You're right. I mixed up Saml3 with Saml4 classes 🤦‍♂️