-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decouple SAML 2.0 Single Logout from the authenticated principal's type #11338
base: main
Are you sure you want to change the base?
Conversation
@chschu Please sign the Contributor License Agreement! Click here to manually synchronize the status of this Pull Request. See the FAQ for frequently asked questions. |
@chschu Thank you for signing the Contributor License Agreement! |
…AML 2.0 Single Logout Issue spring-projectsgh-10820
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not totally clear on why this new interface is needed. Maybe the code instead should check for authentication
as well as authentication.getPrincipal
being of type Saml2AuthenticatedPrincipal
. The code could change to:
if (authentication instanceof Saml2AuthenticatedPrincipal principal) {
return principal.getRelyingPartyRegistrationId();
}
if (authentication.getPrincipal() instanceof Saml2AuthenticatedPrincipal principal) {
return principal.getRelyingPartyRegistrationId();
}
It seems like this would achieve what you are wanting without adding a new interface to support. This is nice since there is such a big overlap between Saml2AuthenticatedPrincipal
and Saml2AuthenticationInfo
's methods.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because an authentication token is not a principal, while both a token and a principal can be sources of SAML information.
You don't want to have Saml2Authentication implements Saml2AuthenticatedPrincipal
do you?
* Get the {@link NameID} value of the authenticated principal | ||
* @return the {@link NameID} value of the authenticated principal | ||
*/ | ||
String getNameId(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand why this method is necessary. It duplicates Authentication#getName
since that returns the NameID
value by default.
If you for some reason need something different to be returned in Authentication#getName
, I'd recommend using OpenSaml4LogoutRequestResolver#setParametersCustomizer
to alter the NameID
value in the LogoutRequest
instance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are many cases where Authentication#getName
and Saml2AuthenticationInfo#getNameID
should return different things.
A SAML NameID is often an random string or a hash output, and can also be unique for every session. While the username should be a consistent, usually human-readable, string from the application domain.
Currently, changing the username breaks SLO.
@chschu, I realize it's been a bit since you submitted this PR. I've posted a review; once we are aligned on how to change things, I'm happy to do the legwork to resolve the conflicting files so that you can focus on making the implementation changes. |
i had to use this as a work around for now. https://stackoverflow.com/a/78768756/19424868 |
Issue gh-10820
When using a custom authenticated principal that does not implement
Saml2AuthenticatedPrincipal
, theAuthentication
itself can now implementSaml2AuthenticationInfo
to provide the same information.Making the authenticated principal implement the
Saml2AuthenticatedPrincipal
interface is not always an option. The authenticated principal can be an opaqueObject
created and consumed by code completely unaware of Spring Security.On the other hand, the code that creates a custom
Authentication
already has Spring Security on the classpath, so implementingSaml2AuthenticationInfo
there should always be possible.The new interface
Saml2AuthenticationInfo
is currently only used for SAML 2.0 Single Logout. If neither the authenticated principal nor theAuthentication
itself implements it, SAML 2.0 Single Logout requests won't be detected.This PR does not change the default behavior. It improves flexibility if
OpenSaml4AuthenticationProvider.responseAuthenticationConverter
is customized.