We are using spring-security-saml2-core version 1.0.10 extensively. Since, end of life is announced we are migrating to spring-security-saml2-service-provider and looks there is no clear documentation for the same. Many classes like MetadataManager, etc. are removed. Want to know the multitenant support as well. Also, is it possible to migrate the existing code with little changes or do we need to rewrite the module.

Posted the same in Stackoverflow and no replies. So, adding the question here for better reach.

Comment From: stnor

I have the same issue and agree that documentations is lacking. Some concrete examples: 1) How to Bootstrap SP without Spring Boot with JKS key store. 2) How to customise SAML authentication using a custom responseAuthenticationConverter.

Right now the only way forward is to dive into the source code unless you have a trivial use case.

@abinesh-s Please see #12664 for some of my other questions.

Comment From: abinesh-s

Hi @stnor, thanks for the reply. Also, any alternate classes available for "SAMLContextProviderLB" or alternate ways to implement this.

Comment From: marcusdacoregio

Hi folks, we have #8685 which resulted in https://github.com/spring-projects/spring-security/wiki/SAML-2.0-Migration-Guide. After reading the migration guide, what else do you think should be added to it?

Comment From: stnor

Hi folks, we have #8685 which resulted in https://github.com/spring-projects/spring-security/wiki/SAML-2.0-Migration-Guide. After reading the migration guide, what else do you think should be added to it?

When you come from the old library as a SP in a large federation it's 100% unclear to me how to migrate. To be blunt, that document isn't a migration guide. It's a shallow overview on changed concepts. There are no use-case based configuration examples and no or very little code. The examples that exist are based on trivial one IdP-setups. All examples assume Boot, which I don't use.

Personally, I've spent 2-3 days looking at the code trying to understand the new structure, experimenting and I decided to give up until the documentation is better.

At present, perhaps based on my lack of understanding, I feel I need to write a bunch of code to work around the new url-per-idp scheme, when it was mostly plug'n'play in the old framework.

See for example #12664, #10551 and https://github.com/spring-projects/spring-security-samples/issues/64

I'd be willing to sponsor the work to get my use-case working and documented if this is a money matter.

Comment From: abinesh-s

Hi @marcusdacoregio, as @stnor said the present document is a very high level and little or no code based examples in that. Ours is a Spring MVC based application and predominantly uses the spring-security-saml2-core. Have used each and every available classes from that package. Just want to know how easy is to migrate to "spring-security-saml2-service-provider". A step-by-step guide would be better pointing the corresponding or alternate classes available in the "spring-security-saml2-service-provider" package.

Comment From: stnor

@abinesh-s I've done some progress with migrating and is almost done. There is some code here: https://github.com/spring-projects/spring-security/issues/12664#issuecomment-1435724204

Comment From: abinesh-s

@stnor, could you please post the complete working sample in the github and share the link please. It would be helpful for everyone who were looking for the similar example.

Comment From: stnor

I will try to do that once the PR is merged and released.

Comment From: abinesh-s

Thanks @stnor and waiting for the same. Also, one more question, are you using ADFS as the IDP? Would like to see the configuration related to that.

Comment From: stnor

I'm using many of the 200 IdP:s in the federation, some of them are ADFS, but I haven't tested with any. Running SimpleSAML locally for testing. See https://github.com/stnor/fed-saml-example for code.

Comment From: abinesh-s

Thanks @stnor. Will check and get back to you if I got any questions.

Comment From: marcusdacoregio

Closing in favor of https://github.com/spring-projects/spring-security/issues/12840