search

spring-attic / spring-security-saml

SAML extension for the Spring Security project
Other
419 stars 482 forks source link

Support for Requested Authentication Context Class Reference in the Requested Authentication Context #439

Closed oharsta closed 5 years ago

oharsta commented 5 years ago

We use Spring Security SAML in the OpenID Connect - SAML proxy of SURFnet. We want to support OIDC acr_values - Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request and the corresponding SAML <AuthnContextClassRef> element in the <RequestedAuthnContext> element.

The opensaml libray has support for this in org.opensaml.saml.saml2.core.RequestedAuthnContext, but the org.springframework.security.saml.saml2.authentication.RequestedAuthenticationContext has not. Proposal is to add AuthnContextClassRef values to the Spring RequestedAuthenticationContext and populate these values in OpenSamlImplementation#getRequestedAuthenticationContext.

The org.springframework.security.saml.saml2.authentication.AuthenticationStatement has already support for a AuthenticationContextClassReference in the AuthenticationContext, however the actual value of the AuthenticationContextClassReference is limited as it is an enum. Proposal is to make this a free-format String and change the implementation of the parsing of the List<AuthnStatement> in OpenSamlImplementation.

The SAML specification does not dictate predefined values for the <AuthnContextClassRef> element. Cited: A URI reference identifying an authentication context class that describes the authentication context declaration that follows.

If agreed with this functionality and the proposed changes I'm more then happy to write a PR in the development branch.

fhanik commented 5 years ago

absolutely. open a PR.

oharsta commented 5 years ago

Implemented in https://github.com/spring-projects/spring-security-saml/pull/440

oharsta commented 5 years ago

@fhanik Thanks for the commit. Our - specific - use case requires support for multiple AuthenticationContextClassReference values in the AuthenticationRequest. I created a new pull request with this small change: https://github.com/spring-projects/spring-security-saml/pull/441

If agreed could I ask you for a new 2.0.0.M30 artifactory release? Thanks again.