Spring Security Document Custom RelayState Parameter Resolution

I want to set the RelayState parameter so that I can pass a redirectUrl received at runtime from a different request. This was possible in the SAML extension library by overriding the getProfileOptions() method of the SAMLEntryPoint class. However, it is not possible to do the same in Spring Security even with the following XML configuration:

<http>
       <saml2-login relying-party-registration-repository-ref="xxxxx">
</http>

I cannot find a sample application that showcases how to create a relying-party-registration-repository bean where I can pass the relying-party-registrations to its constructor. The relying-party-registrationsshould allow alias to be used as a reference in some other place.

Comment From: mohitkumar5

An xml sample configuring relying-party-registration-repository-ref will be really helpful.

Comment From: jzheaux

Hi, @abhishek-bafna-amdhan, thanks for reaching out. It sounds like you want to configure a custom way to set the RelayState parameter value.

You can do this by customizing the Saml2AuthenticationRequestResolver like so:

public class RelayStateResolver implements Converter<HttpServletRequest, String> {
    // ... your custom implementation
}

<http>
    <saml2-login authentication-request-resolver-ref="ref" ... />
    ...
</http>

<b:beans name="relayStateResolver" class="RelayStateResolver"/>
<b:beans name="ref" class="org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver"/>
    <b:property name="relayStateResolver" ref="relayStateResolver"/>
</b:beans>

I can see this isn't covered in the reference, so I'll keep this ticket open to update that.

Does that seem sufficient to address your issue?

Comment From: abhishek-bafna-amdhan

Hi @jzheaux, thanks for getting back to me. I'm hoping you might be able to clarify something for me about the reference for "relying-party-registration-repository-ref". It appears to be needed because the OpenSaml4AuthenticationRequestResolver needs a RelyingPartyRegistrationResolver, and the default implementation (DefaultRelyingPartyRegistrationResolver) requires a RelyingPartyRegistrationRepository in its constructor.

Comment From: jzheaux

@abhishek-bafna-amdhan, this has hopefully been alleviated in 6.1, which introduces a constructor in OpenSaml4AuthenticationRequestResolver for RelyingPartyRegistrationRepository. If that doesn't help, please feel free to open a StackOverflow question and paste the link to it here. We can continue to investigate your question over there.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

Comment From: abhishek-bafna-amdhan

Thank you for looking into this. The resolution provided by https://github.com/spring-projects/spring-security/issues/14487 will resolve this issue.

Thanks again!