search

spring-attic / spring-security-saml

SAML extension for the Spring Security project
Other
419 stars 484 forks source link

Why is the Subject of the Assertion required? #528

Closed EgorBratuhin closed 2 years ago

EgorBratuhin commented 2 years ago

The protocol states that the Subject is optional.

<element name="Assertion" type="saml:AssertionType"/>
<complexType name="AssertionType">
  <sequence>
    <element ref="saml:Issuer"/>
    <element ref="ds:Signature" minOccurs="0"/>
    <element ref="saml:Subject" minOccurs="0"/>

But there is always a check for the existence of a NameID !hasName(firstAssertion) and I get the error if there is no Subject. org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider#process org.springframework.security.saml2.core.Saml2ErrorCodes#SUBJECT_NOT_FOUND Is it possible to implement disabling the check for the presence of a NameID?