Decouple SAML 2.0 Single Logout from the authenticated principal's type #11338
Conversation
|
@chschu Please sign the Contributor License Agreement! Click here to manually synchronize the status of this Pull Request. See the FAQ for frequently asked questions. |
|
@chschu Thank you for signing the Contributor License Agreement! |
spring-projects-issues
added
the
status: waiting-for-triage
…AML 2.0 Single Logout Issue spring-projectsgh-10820
There was a problem hiding this comment.
I'm not totally clear on why this new interface is needed. Maybe the code instead should check for authentication as well as authentication.getPrincipal being of type Saml2AuthenticatedPrincipal. The code could change to:
if (authentication instanceof Saml2AuthenticatedPrincipal principal) {
return principal.getRelyingPartyRegistrationId();
}
if (authentication.getPrincipal() instanceof Saml2AuthenticatedPrincipal principal) {
return principal.getRelyingPartyRegistrationId();
}It seems like this would achieve what you are wanting without adding a new interface to support. This is nice since there is such a big overlap between Saml2AuthenticatedPrincipal and Saml2AuthenticationInfo's methods.
There was a problem hiding this comment.
Because an authentication token is not a principal, while both a token and a principal can be sources of SAML information.
You don't want to have Saml2Authentication implements Saml2AuthenticatedPrincipal do you?
| * Get the {@link NameID} value of the authenticated principal | ||
| * @return the {@link NameID} value of the authenticated principal | ||
| */ | ||
| String getNameId(); |
There was a problem hiding this comment.
I don't understand why this method is necessary. It duplicates Authentication#getName since that returns the NameID value by default.
If you for some reason need something different to be returned in Authentication#getName, I'd recommend using OpenSaml4LogoutRequestResolver#setParametersCustomizer to alter the NameID value in the LogoutRequest instance.
There was a problem hiding this comment.
There are many cases where Authentication#getName and Saml2AuthenticationInfo#getNameID should return different things.
A SAML NameID is often an random string or a hash output, and can also be unique for every session. While the username should be a consistent, usually human-readable, string from the application domain.
Currently, changing the username breaks SLO.
|
@chschu, I realize it's been a bit since you submitted this PR. I've posted a review; once we are aligned on how to change things, I'm happy to do the legwork to resolve the conflicting files so that you can focus on making the implementation changes. |
jzheaux
added
status: duplicate
|
i had to use this as a work around for now. https://stackoverflow.com/a/78768756/19424868 |
Issue gh-10820
When using a custom authenticated principal that does not implement
Saml2AuthenticatedPrincipal, theAuthenticationitself can now implementSaml2AuthenticationInfoto provide the same information.Making the authenticated principal implement the
Saml2AuthenticatedPrincipalinterface is not always an option. The authenticated principal can be an opaqueObjectcreated and consumed by code completely unaware of Spring Security.On the other hand, the code that creates a custom
Authenticationalready has Spring Security on the classpath, so implementingSaml2AuthenticationInfothere should always be possible.The new interface
Saml2AuthenticationInfois currently only used for SAML 2.0 Single Logout. If neither the authenticated principal nor theAuthenticationitself implements it, SAML 2.0 Single Logout requests won't be detected.This PR does not change the default behavior. It improves flexibility if
OpenSaml4AuthenticationProvider.responseAuthenticationConverteris customized.