Unable to Find 'filterProcessingUrl' Method in Spring Security 6.1.1 Saml2LoginConfigurer Configuration

[sumeetpri]

I am using version 6.1.1 of Spring Security and I need to configure a single response processing endpoint for a federated IDP. I have referred to the Spring documentation which provides an example code snippet. However, I couldn't find the filterProcessingUrl method in the Saml2LoginConfigurer class. As a result, I'm getting a compile error stating that filterProcessingUrl is not found.

Here is the example code mentioned the Spring documentation under SAML2 Authentication Responses section:

@Bean
SecurityFilterChain securityFilters(HttpSecurity http) throws Exception {
    http
        // ...
        .saml2Login((saml2) -> saml2.filterProcessingUrl("/saml2/login/sso"))
        // ...

    return http.build();
}

And here is my code for the SAML 2.0 configuration:

SecurityFilterChain configure(HttpSecurity http) throws Exception {
    OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();
    http.authorizeHttpRequests(requests -> requests
            .requestMatchers("/saml2/service-provider-metadata/**")
            .permitAll()
        ).addFilterAfter(authTokenSessionRestore, SecurityContextHolderFilter.class)
        .saml2Login((saml2) -> saml2
            .authenticationManager(new ProviderManager(authenticationProvider))
            .relyingPartyRegistrationRepository(relyingPartyRegistrationRepository)
            .successHandler(loginSuccessHandler)
            .failureHandler(loginFailureHandler)

        ).saml2Logout(withDefaults());

    return http.build();
}

I'm wondering why I'm unable to find the saml2.filterProcessingUrl method in my code.

We have multiple federated idp and want single assertion url for all idp like /saml2/SSO . How do we can achieve single Assertion url for all idp not dynamic by registration Id ?

[sumeetpri]

@marcusdacoregio @jzheaux Looking for your expert input , is the document https://docs.spring.io/spring-security/reference/servlet/saml2/login/authentication.html outdated ?

[marcusdacoregio]

Thanks for the report @sumeetpri, the property should be loginProcessingUrl instead of filterProcessingUrl. This is now fixed.

[ssharma1011]

hi @sumeetpri - were you able to find a solution for this in your original question: "We have multiple federated idp and want single assertion url for all idp like /saml2/SSO . How do we can achieve single Assertion url for all idp not dynamic by registration Id ?"

My use case - idp1 sends an assertion - i find out from that assertion that it is coming from a particular idp and process the sso. Happy to open another issue if it is against guidelines.

[jzheaux]

@ssharma1011, at this point, you should be able to set the value to /saml2/SSO, which you can read about here: https://docs.spring.io/spring-security/reference/servlet/saml2/login/authentication.html#saml2-response-processing-endpoint

[ssharma1011]

Hi @jzheaux - Thank you for your reply. I have a few questions: I am using spring security - 5.7.8. and when i try to set the url as you mentioned:

1. It gives me exception that login processing url must include {registrationId}. may be it is not allowed in sprng security version 5.7.8

2. Also, the URL that you shared shows that I need to write this line relyingPartyRegistrationBuilder.assertionConsumerServiceLocation("/saml/SSO") since I am using a yml file, relyingrepositorybuilder is not customized in my code. is there any way i can put this URL directly into my yml file.

3. I actually want to use a custom URL which should not contain /saml/SSO but {hostname}/anything/something. Is this achievable?

Attaching my yml and configuration file. We are upgrading our SP and looking to create a unique metadata and don't want to go to our existing IDPs to change the URLs. This is IDP initiated SSO use case. I have looked a lot online but couldn't find a definitive answer. Looking for your expert comments.

` final RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;

public SecurityConfig(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
    this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
}

@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {

    DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
            new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);

    Saml2MetadataFilter filter = new Saml2MetadataFilter(
            (Converter<HttpServletRequest, RelyingPartyRegistration>) relyingPartyRegistrationResolver,
            new OpenSamlMetadataResolver());
    filter.setRequestMatcher(new AntPathRequestMatcher("SP Entity ID"));

    OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();

    http
            //    .exceptionHandling((exceptions) -> exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/brokersso")))
            .authorizeHttpRequests(authorize -> authorize
                    .anyRequest().authenticated()).csrf().disable()
            //.ignoringAntMatchers("/login/saml2/sso/**")
            //.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
            .saml2Login(saml2 -> saml2
                    .authenticationManager(new ProviderManager(authenticationProvider))
                    .loginProcessingUrl("/saml2/login/sso"))
            .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);

    return http.build();
}

`

spring: security: saml2: relyingparty: registration: okta1: signing: credentials: assertingparty: metadata-uri: "IDP metadata url" entity-id: "SP-entity-id" okta2: signing: credentials: assertingparty: metadata-uri: "IDP metadata url" entity-id: "SP-entity-id"

[ssharma1011]

Hi @jzheaux @sumeetpri waiting for your valuable suggestion.

[jzheaux]

I see, @ssharma1011, let's do this instead. So that this ticket stays focused to the discussion about filterProcessingUrl, will you please post your question to StackOverflow? You can paste a link to your question here, and I'd be happy to follow up with you there.