Closed sumeetpri closed 1 year ago
@marcusdacoregio @jzheaux Looking for your expert input , is the document https://docs.spring.io/spring-security/reference/servlet/saml2/login/authentication.html outdated ?
Thanks for the report @sumeetpri, the property should be loginProcessingUrl
instead of filterProcessingUrl
. This is now fixed.
hi @sumeetpri - were you able to find a solution for this in your original question: "We have multiple federated idp and want single assertion url for all idp like /saml2/SSO . How do we can achieve single Assertion url for all idp not dynamic by registration Id ?"
My use case - idp1 sends an assertion - i find out from that assertion that it is coming from a particular idp and process the sso. Happy to open another issue if it is against guidelines.
@ssharma1011, at this point, you should be able to set the value to /saml2/SSO
, which you can read about here: https://docs.spring.io/spring-security/reference/servlet/saml2/login/authentication.html#saml2-response-processing-endpoint
Hi @jzheaux - Thank you for your reply. I have a few questions: I am using spring security - 5.7.8. and when i try to set the url as you mentioned:
It gives me exception that login processing url must include {registrationId}. may be it is not allowed in sprng security version 5.7.8
Also, the URL that you shared shows that I need to write this line relyingPartyRegistrationBuilder.assertionConsumerServiceLocation("/saml/SSO") since I am using a yml file, relyingrepositorybuilder is not customized in my code. is there any way i can put this URL directly into my yml file.
3. I actually want to use a custom URL which should not contain /saml/SSO but {hostname}/anything/something. Is this achievable?
Attaching my yml and configuration file. We are upgrading our SP and looking to create a unique metadata and don't want to go to our existing IDPs to change the URLs. This is IDP initiated SSO use case. I have looked a lot online but couldn't find a definitive answer. Looking for your expert comments.
` final RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
public SecurityConfig(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
}
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(
(Converter<HttpServletRequest, RelyingPartyRegistration>) relyingPartyRegistrationResolver,
new OpenSamlMetadataResolver());
filter.setRequestMatcher(new AntPathRequestMatcher("SP Entity ID"));
OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();
http
// .exceptionHandling((exceptions) -> exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/brokersso")))
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()).csrf().disable()
//.ignoringAntMatchers("/login/saml2/sso/**")
//.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
.saml2Login(saml2 -> saml2
.authenticationManager(new ProviderManager(authenticationProvider))
.loginProcessingUrl("/saml2/login/sso"))
.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
return http.build();
}
`
spring: security: saml2: relyingparty: registration: okta1: signing: credentials: assertingparty: metadata-uri: "IDP metadata url" entity-id: "SP-entity-id" okta2: signing: credentials: assertingparty: metadata-uri: "IDP metadata url" entity-id: "SP-entity-id"
Hi @jzheaux @sumeetpri waiting for your valuable suggestion.
I see, @ssharma1011, let's do this instead. So that this ticket stays focused to the discussion about filterProcessingUrl, will you please post your question to StackOverflow? You can paste a link to your question here, and I'd be happy to follow up with you there.
I am using version 6.1.1 of Spring Security and I need to configure a single response processing endpoint for a federated IDP. I have referred to the Spring documentation which provides an example code snippet. However, I couldn't find the
filterProcessingUrl
method in theSaml2LoginConfigurer
class. As a result, I'm getting a compile error stating thatfilterProcessingUrl
is not found.Here is the example code mentioned the Spring documentation under SAML2 Authentication Responses section:
And here is my code for the SAML 2.0 configuration:
I'm wondering why I'm unable to find the
saml2.filterProcessingUrl
method in my code.We have multiple federated idp and want single assertion url for all idp like /saml2/SSO . How do we can achieve single Assertion url for all idp not dynamic by registration Id ?