Spring Security saml2-service-provider throws NoSuchMethodError when adding a custom AuthenticationProvider

When trying to follow the samples outlined in SAML2 Reference, adding the custom auth provider results in the following stacktrace when trying to log in with SAML2 SSO:

java.lang.NoSuchMethodError: 'void org.opensaml.saml.saml2.assertion.SAML20AssertionValidator.<init>(java.util.Collection, java.util.Collection, java.util.Collection, org.opensaml.saml.saml2.assertion.AssertionValidator, org.opensaml.xmlsec.signature.support.SignatureTrustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator)'
    at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider$SAML20AssertionValidators$3.<init>(OpenSaml4AuthenticationProvider.java:833) ~[spring-security-saml2-service-provider-5.7.1.jar:5.7.1]
    at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider$SAML20AssertionValidators.<clinit>(OpenSaml4AuthenticationProvider.java:832) ~[spring-security-saml2-service-provider-5.7.1.jar:5.7.1]
    at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.lambda$createDefaultAssertionSignatureValidator$8(OpenSaml4AuthenticationProvider.java:616) ~[spring-security-saml2-service-provider-5.7.1.jar:5.7.1]
    at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.lambda$createAssertionValidator$11(OpenSaml4AuthenticationProvider.java:706) ~[spring-security-saml2-service-provider-5.7.1.jar:5.7.1]
    at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.process(OpenSaml4AuthenticationProvider.java:539) ~[spring-security-saml2-service-provider-5.7.1.jar:5.7.1]
    at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.authenticate(OpenSaml4AuthenticationProvider.java:488) ~[spring-security-saml2-service-provider-5.7.1.jar:5.7.1]
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.7.1.jar:5.7.1]
    at org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter.attemptAuthentication(Saml2WebSsoAuthenticationFilter.java:113) ~[spring-security-saml2-service-provider-5.7.1.jar:5.7.1]
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) ~[spring-security-web-5.7.1.jar:5.7.1]
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) ~[spring-security-web-5.7.1.jar:5.7.1]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.7.1.jar:5.7.1]

Checking the code for OpenSaml4AuthenticationProvider has this on line 832:

private static final SAML20AssertionValidator attributeValidator = new SAML20AssertionValidator(conditions,
        subjects, statements, null, null, null) { // <------ HERE - 6 params being passed to constructor
    @Nonnull
    @Override
    protected ValidationResult validateSignature(Assertion token, ValidationContext context) {
        return ValidationResult.VALID;
    }
};

Note the 6 parameters being passed to the constructor.

Then checking the SAML20AssertionValidator class shows there is a constructor with the following signature:

    public SAML20AssertionValidator(@Nullable final Collection<ConditionValidator> newConditionValidators,
            @Nullable final Collection<SubjectConfirmationValidator> newConfirmationValidators,
            @Nullable final Collection<StatementValidator> newStatementValidators, 
            @Nullable final SignatureTrustEngine newTrustEngine,
            @Nullable final SignaturePrevalidator newSignaturePrevalidator) {
        ...
    }

This constructor only accepts 5 parameters.

Either my dependency versions are out of whack, or there's one too many nulls being passed to the constructor.

Comment From: rwinch

Can you provide your dependencies that you are using? You would need to ensure you are using OpenSAML4 and not OpenSAML3

Comment From: nicoweidner

I ran into a similar issue, and I think I found the solution: It's a version thing, you need 4.1+ of opensaml (newest is 4.2.0). I haven't found a good way to link the opensaml source code, so the Javadocs will have to do.

I first used opensaml 4.0.1 because that's the latest version listed in Maven repo: https://mvnrepository.com/artifact/org.opensaml/opensaml-saml-impl. However, it's not actually the latest version - that would be 4.2.0, which you can find out on the Shibboleth page. Until opensaml 4.0.1, SAML20AssertionValidator only had a constructor with 5 arguments: http://shibboleth.net/sites/release/java-opensaml/4.0.1/apidocs/org/opensaml/saml/saml2/assertion/SAML20AssertionValidator.html. However, the API changed in 4.1, now the old constructor is deprecated and it has another one with 6 arguments that spring-security uses: https://shibboleth.net/sites/release/java-opensaml/4.1.0/apidocs/org/opensaml/saml/saml2/assertion/SAML20AssertionValidator.html. So you need to be using opensaml 4.1+

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: GrmpfNarf

I ran into a similar issue, and I think I found the solution: It's a version thing, you need 4.1+ of opensaml (newest is 4.2.0). I haven't found a good way to link the opensaml source code, so the Javadocs will have to do.

I first used opensaml 4.0.1 because that's the latest version listed in Maven repo: https://mvnrepository.com/artifact/org.opensaml/opensaml-saml-impl. However, it's not actually the latest version - that would be 4.2.0, which you can find out on the Shibboleth page. Until opensaml 4.0.1, SAML20AssertionValidator only had a constructor with 5 arguments: http://shibboleth.net/sites/release/java-opensaml/4.0.1/apidocs/org/opensaml/saml/saml2/assertion/SAML20AssertionValidator.html. However, the API changed in 4.1, now the old constructor is deprecated and it has another one with 6 arguments that spring-security uses: https://shibboleth.net/sites/release/java-opensaml/4.1.0/apidocs/org/opensaml/saml/saml2/assertion/SAML20AssertionValidator.html. So you need to be using opensaml 4.1+

I can confirm that after upgrading from 4.0.1 (mvnrepository.com confussion) to 4.2.0 it works like charm.

Comment From: marcusdacoregio

Duplicate of https://github.com/spring-projects/spring-security/issues/10539

Comment From: pratheeparoche

Hi,

I am new to SAML. AM facing the same issue. After updating the pom file to use opensaml 4.2.0, it is not able to pick as the maven repository is not having the version. Please help me to sort from this issue.

Comment From: marcusdacoregio

Hi @pratheeparoche, have you added https://build.shibboleth.net/nexus/content/repositories/releases/ to your list of repositories?

Comment From: martinwunderlich-celonis

Ran into the same issue. Apparently, Spring Security moved to OpenSaml v.4.1.1 with their 6.0.0 release. https://github.com/spring-projects/spring-security/blob/6.0.0/gradle.properties