生成 <saml2:AuthnRequest>
如前所述,Spring Security 的 SAML 2.0 支持会生成一个 <saml2:AuthnRequest> 来开始与断言方进行身份验证。
Spring Security 部分通过在过滤器链中注册 Saml2WebSsoAuthenticationRequestFilter 来实现这一点。默认情况下,此过滤器响应端点 /saml2/authenticate/{registrationId}。
例如,如果您部署到 rp.example.com 并且您为注册分配了一个 ID okta,您可以导航到
结果将是包含 SAMLRequest 参数的重定向,该参数包含已签名的、已解压缩的和已编码的 <saml2:AuthnRequest>。
更改 <saml2:AuthnRequest> 的存储方式
Saml2WebSsoAuthenticationRequestFilter 使用 Saml2AuthenticationRequestRepository 在发送 <saml2:AuthnRequest> 到断言方之前持久化 AbstractSaml2AuthenticationRequest 实例。
此外,Saml2WebSsoAuthenticationFilter 和 Saml2AuthenticationTokenConverter 使用 Saml2AuthenticationRequestRepository 加载任何 AbstractSaml2AuthenticationRequest 作为身份验证 <saml2:Response> 的一部分。
默认情况下,Spring Security 使用 HttpSessionSaml2AuthenticationRequestRepository,它将 AbstractSaml2AuthenticationRequest 存储在 HttpSession 中。
如果您有 Saml2AuthenticationRequestRepository 的自定义实现,您可以通过将其公开为 @Bean 来配置它,如下例所示
-
Java
-
Kotlin
@Bean
Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository() {
return new CustomSaml2AuthenticationRequestRepository();
}@Bean
open fun authenticationRequestRepository(): Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> {
return CustomSaml2AuthenticationRequestRepository()
}更改 <saml2:AuthnRequest> 的发送方式
默认情况下,Spring Security 会对每个 <saml2:AuthnRequest> 进行签名,并将其作为 GET 请求发送到断言方。
许多断言方不需要签名的 <saml2:AuthnRequest>。这可以通过 RelyingPartyRegistrations 自动配置,或者您可以手动提供它,如下所示
-
Boot
-
Java
-
Kotlin
spring:
security:
saml2:
relyingparty:
okta:
identityprovider:
entity-id: ...
singlesignon.sign-request: falseRelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistration.withRegistrationId("okta")
// ...
.assertingPartyDetails(party -> party
// ...
.wantAuthnRequestsSigned(false)
)
.build();var relyingPartyRegistration: RelyingPartyRegistration =
RelyingPartyRegistration.withRegistrationId("okta")
// ...
.assertingPartyDetails { party: AssertingPartyDetails.Builder -> party
// ...
.wantAuthnRequestsSigned(false)
}
.build()否则,您需要将私钥指定给 RelyingPartyRegistration#signingX509Credentials,以便 Spring Security 可以在发送 <saml2:AuthnRequest> 之前对其进行签名。
默认情况下,Spring Security 将使用 rsa-sha256 对 <saml2:AuthnRequest> 进行签名,但某些断言方可能需要不同的算法,如其元数据中所示。
您可以根据断言方的元数据使用 RelyingPartyRegistrations 配置算法。
或者,您可以手动提供它
-
Java
-
Kotlin
String metadataLocation = "classpath:asserting-party-metadata.xml";
RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations.fromMetadataLocation(metadataLocation)
// ...
.assertingPartyDetails((party) -> party
// ...
.signingAlgorithms((sign) -> sign.add(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512))
)
.build();var metadataLocation = "classpath:asserting-party-metadata.xml"
var relyingPartyRegistration: RelyingPartyRegistration =
RelyingPartyRegistrations.fromMetadataLocation(metadataLocation)
// ...
.assertingPartyDetails { party: AssertingPartyDetails.Builder -> party
// ...
.signingAlgorithms { sign: MutableList<String?> ->
sign.add(
SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512
)
}
}
.build()上面的代码片段使用 OpenSAML SignatureConstants 类来提供算法名称。但这只是为了方便。由于数据类型是 String,因此您可以直接提供算法的名称。 |
某些断言方要求 <saml2:AuthnRequest> 使用 POST 方法发送。这可以通过 RelyingPartyRegistrations 自动配置,或者您可以手动提供它,如下所示
-
Java
-
Kotlin
RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistration.withRegistrationId("okta")
// ...
.assertingPartyDetails(party -> party
// ...
.singleSignOnServiceBinding(Saml2MessageBinding.POST)
)
.build();var relyingPartyRegistration: RelyingPartyRegistration? =
RelyingPartyRegistration.withRegistrationId("okta")
// ...
.assertingPartyDetails { party: AssertingPartyDetails.Builder -> party
// ...
.singleSignOnServiceBinding(Saml2MessageBinding.POST)
}
.build()自定义 OpenSAML 的 AuthnRequest 实例
您可能需要调整 AuthnRequest 的原因有很多。例如,您可能希望将 ForceAuthN 设置为 true,而 Spring Security 默认将其设置为 false。
您可以通过将 OpenSaml4AuthenticationRequestResolver 作为 @Bean 发布来自定义 OpenSAML 的 AuthnRequest 中的元素,如下所示
-
Java
-
Kotlin
@Bean
Saml2AuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistrationRepository registrations) {
RelyingPartyRegistrationResolver registrationResolver =
new DefaultRelyingPartyRegistrationResolver(registrations);
OpenSaml4AuthenticationRequestResolver authenticationRequestResolver =
new OpenSaml4AuthenticationRequestResolver(registrationResolver);
authenticationRequestResolver.setAuthnRequestCustomizer((context) -> context
.getAuthnRequest().setForceAuthn(true));
return authenticationRequestResolver;
}@Bean
fun authenticationRequestResolver(registrations : RelyingPartyRegistrationRepository) : Saml2AuthenticationRequestResolver {
val registrationResolver : RelyingPartyRegistrationResolver =
new DefaultRelyingPartyRegistrationResolver(registrations)
val authenticationRequestResolver : OpenSaml4AuthenticationRequestResolver =
new OpenSaml4AuthenticationRequestResolver(registrationResolver)
authenticationRequestResolver.setAuthnRequestCustomizer((context) -> context
.getAuthnRequest().setForceAuthn(true))
return authenticationRequestResolver
}
