I am using version 6.1.1 of Spring Security and I need to configure a single response processing endpoint for a federated IDP. I have referred to the Spring documentation which provides an example code snippet. However, I couldn't find the filterProcessingUrl method in the Saml2LoginConfigurer class. As a result, I'm getting a compile error stating that filterProcessingUrl is not found.
Here is the example code mentioned the Spring documentation under SAML2 Authentication Responses section:
@Bean
SecurityFilterChain securityFilters(HttpSecurity http) throws Exception {
http
// ...
.saml2Login((saml2) -> saml2.filterProcessingUrl("/saml2/login/sso"))
// ...
return http.build();
}
And here is my code for the SAML 2.0 configuration:
SecurityFilterChain configure(HttpSecurity http) throws Exception {
OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();
http.authorizeHttpRequests(requests -> requests
.requestMatchers("/saml2/service-provider-metadata/**")
.permitAll()
).addFilterAfter(authTokenSessionRestore, SecurityContextHolderFilter.class)
.saml2Login((saml2) -> saml2
.authenticationManager(new ProviderManager(authenticationProvider))
.relyingPartyRegistrationRepository(relyingPartyRegistrationRepository)
.successHandler(loginSuccessHandler)
.failureHandler(loginFailureHandler)
).saml2Logout(withDefaults());
return http.build();
}
I'm wondering why I'm unable to find the saml2.filterProcessingUrl method in my code.
We have multiple federated idp and want single assertion url for all idp like /saml2/SSO . How do we can achieve single Assertion url for all idp not dynamic by registration Id ?
Comment From: sumeetpri
@marcusdacoregio @jzheaux Looking for your expert input , is the document https://docs.spring.io/spring-security/reference/servlet/saml2/login/authentication.html outdated ?
Comment From: marcusdacoregio
Thanks for the report @sumeetpri, the property should be loginProcessingUrl instead of filterProcessingUrl. This is now fixed.
Comment From: ssharma1011
hi @sumeetpri - were you able to find a solution for this in your original question: "We have multiple federated idp and want single assertion url for all idp like /saml2/SSO . How do we can achieve single Assertion url for all idp not dynamic by registration Id ?"
My use case - idp1 sends an assertion - i find out from that assertion that it is coming from a particular idp and process the sso. Happy to open another issue if it is against guidelines.
Comment From: jzheaux
@ssharma1011, at this point, you should be able to set the value to /saml2/SSO, which you can read about here: https://docs.spring.io/spring-security/reference/servlet/saml2/login/authentication.html#saml2-response-processing-endpoint
Comment From: ssharma1011
Hi @jzheaux - Thank you for your reply. I have a few questions: I am using spring security - 5.7.8. and when i try to set the url as you mentioned:
-
It gives me exception that login processing url must include {registrationId}. may be it is not allowed in sprng security version 5.7.8
-
Also, the URL that you shared shows that I need to write this line relyingPartyRegistrationBuilder.assertionConsumerServiceLocation("/saml/SSO") since I am using a yml file, relyingrepositorybuilder is not customized in my code. is there any way i can put this URL directly into my yml file.
3. I actually want to use a custom URL which should not contain /saml/SSO but {hostname}/anything/something. Is this achievable?
Attaching my yml and configuration file. We are upgrading our SP and looking to create a unique metadata and don't want to go to our existing IDPs to change the URLs. This is IDP initiated SSO use case. I have looked a lot online but couldn't find a definitive answer. Looking for your expert comments.
` final RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
public SecurityConfig(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
}
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(
(Converter<HttpServletRequest, RelyingPartyRegistration>) relyingPartyRegistrationResolver,
new OpenSamlMetadataResolver());
filter.setRequestMatcher(new AntPathRequestMatcher("SP Entity ID"));
OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();
http
// .exceptionHandling((exceptions) -> exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/brokersso")))
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()).csrf().disable()
//.ignoringAntMatchers("/login/saml2/sso/**")
//.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
.saml2Login(saml2 -> saml2
.authenticationManager(new ProviderManager(authenticationProvider))
.loginProcessingUrl("/saml2/login/sso"))
.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
return http.build();
}
`
spring:
security:
saml2:
relyingparty:
registration:
okta1:
signing:
credentials:
assertingparty:
metadata-uri: "IDP metadata url"
entity-id: "SP-entity-id"
okta2:
signing:
credentials:
assertingparty:
metadata-uri: "IDP metadata url"
entity-id: "SP-entity-id"
Comment From: ssharma1011
Hi @jzheaux @sumeetpri waiting for your valuable suggestion.
Comment From: jzheaux
I see, @ssharma1011, let's do this instead. So that this ticket stays focused to the discussion about filterProcessingUrl, will you please post your question to StackOverflow? You can paste a link to your question here, and I'd be happy to follow up with you there.