SAML SSO Service preferred binding type from IDP metadata

[codemasterover9000]

Expected Behavior

Allow The RelyingPartyRegistrations.fromMetadata*() methods to select a prefered binding type from the IDP metadata document.

Current Behavior

The RelyingPartyRegistrations.fromMetadata*() methods now pick the first binding type it comes across that is either redirect of post. So the order in which they appear in de IDP metadata document determines the used binding type.

Context

Due to security policies we need to use the POST binding if it is available. Currently implemented this by parsing the IDP metadata "manually".

[jzheaux]

Hi, @codemasterover9000, thanks for the suggestion.

With the introduction of AssertingPartyMetadataRepository, this is simpler than it once was:

AssertingPartyMetadataRepository idps = OpenSaml5AssertingPartyMetadataRepository.
        withMetadataLocation("https://ap.example.org");

private RelyingPartyRegistration.Builder ensurePostBinding() {
    OpenSamlAssertingPartyDetails idp = (OpenSamlAssertingPartyDetails) assertingParties.iterator().next();
    RelyingPartyRegistration.Builder builder = RelyingPartyRegistration.withAssertingPartyMetadata(idp);   
    if (hasPostBinding(idp.getEntityDescriptor())) {
        builder.assertingPartyMetadata((party) -> party.singleSignOnServiceBinding(Saml2MessageBinding.POST))
    }
    return builder;
}

The nice thing about this approach is that OpenSaml5AssertingPartyMetadataRepository periodically refreshes the metadata, which is handy if you are getting it from an HTTPS endpoint:

@Component
public class PostEnsuringRelyingPartyRegistrationRepository implements IterableRelyingPartyRegistrationRepository {
    private final AssertingPartyMetadataRepository idps = ...;

    @Override 
    public RelyingPartyRegistration findByRegistrationId(String registrationId) {
         RelyingPartyRegistration.Builder builder = ensurePostBinding()
         // sp customizations
         return builder.build();
    }

    // ...
}

Does something like this address your use case?

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[codemasterover9000]

@jzheaux Thanks for the response. This is a good solution and as you said with the added benefit of periodically updating the metadata.

Thanks!