SAML SSO Service preferred binding type from IDP metadata #16454

codemasterover9000 · 2025-01-20T14:17:07Z

Expected Behavior

Allow The RelyingPartyRegistrations.fromMetadata*() methods to select a prefered binding type from the IDP metadata document.

Current Behavior

The RelyingPartyRegistrations.fromMetadata*() methods now pick the first binding type it comes across that is either redirect of post. So the order in which they appear in de IDP metadata document determines the used binding type.

Context

Due to security policies we need to use the POST binding if it is available. Currently implemented this by parsing the IDP metadata "manually".

The text was updated successfully, but these errors were encountered:

jzheaux · 2025-01-28T00:38:47Z

Hi, @codemasterover9000, thanks for the suggestion.

With the introduction of AssertingPartyMetadataRepository, this is simpler than it once was:

AssertingPartyMetadataRepository idps = OpenSaml5AssertingPartyMetadataRepository.
        withMetadataLocation("https://ap.example.org");

private RelyingPartyRegistration.Builder ensurePostBinding() {
    OpenSamlAssertingPartyDetails idp = (OpenSamlAssertingPartyDetails) assertingParties.iterator().next();
    RelyingPartyRegistration.Builder builder = RelyingPartyRegistration.withAssertingPartyMetadata(idp);   
    if (hasPostBinding(idp.getEntityDescriptor())) {
        builder.assertingPartyMetadata((party) -> party.singleSignOnServiceBinding(Saml2MessageBinding.POST))
    }
    return builder;
}

The nice thing about this approach is that OpenSaml5AssertingPartyMetadataRepository periodically refreshes the metadata, which is handy if you are getting it from an HTTPS endpoint:

@Component
public class PostEnsuringRelyingPartyRegistrationRepository implements IterableRelyingPartyRegistrationRepository {
    private final AssertingPartyMetadataRepository idps = ...;

    @Override 
    public RelyingPartyRegistration findByRegistrationId(String registrationId) {
         RelyingPartyRegistration.Builder builder = ensurePostBinding()
         // sp customizations
         return builder.build();
    }

    // ...
}

Does something like this address your use case?

spring-projects-issues · 2025-02-04T00:43:23Z

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

codemasterover9000 · 2025-02-04T09:50:21Z

@jzheaux Thanks for the response. This is a good solution and as you said with the added benefit of periodically updating the metadata.

Thanks!

codemasterover9000 added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jan 20, 2025

sjohnr assigned jzheaux Jan 23, 2025

sjohnr added the in: saml2 An issue in SAML2 modules label Jan 23, 2025

jzheaux added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 28, 2025

spring-projects-issues added the status: feedback-reminder We've sent a reminder that we need additional information before we can continue label Feb 4, 2025

codemasterover9000 closed this as completed Feb 4, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SAML SSO Service preferred binding type from IDP metadata #16454

SAML SSO Service preferred binding type from IDP metadata #16454

codemasterover9000 commented Jan 20, 2025

jzheaux commented Jan 28, 2025

spring-projects-issues commented Feb 4, 2025

codemasterover9000 commented Feb 4, 2025

SAML SSO Service preferred binding type from IDP metadata #16454

SAML SSO Service preferred binding type from IDP metadata #16454

Comments

codemasterover9000 commented Jan 20, 2025

jzheaux commented Jan 28, 2025

spring-projects-issues commented Feb 4, 2025

codemasterover9000 commented Feb 4, 2025