我的应用程序基本配置如下所示。
@Configuration
public class ApplicationConfiguration {
@Autowired
SamlSuccessHandler successHandler;
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
return http.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
).saml2Login(saml2->{
saml2.loginProcessingUrl("/saml/SSO")
.successHandler(successHandler);
}).build();
}
}
应用程序.yml
spring:
security:
saml2:
relyingparty:
registration:
sap-account400:
entity-id: my_entity_id
identityprovider:
entity-id: https://my-service.com
singlesignon.sign-request: true
assertingparty:
metadata-uri: https://okta.com/1234
decryption:
credentials:
- private-key-location: classpath:private_key_encryption.pem
certificate-location: classpath:certificate_encryption.crt
signing:
credentials:
- private-key-location: classpath:private_key.pem
certificate-location: classpath:certificate.crt
acs:
location: http://localhost:8080/saml/SSO
InResponseTo
验证,您需要自定义
OpenSaml4AuthenticationProvider
。默认情况下,它验证状态代码、
InResponseTo
属性、
Destination
属性和
Issuer
属性。最简单的方法是删除
InResponseTo
验证结果,如下所示:
@Component
final class ResponseValidator implements Converter<Response, Saml2ResponseValidatorResult> {
private final Converter<ResponseToken, Saml2ResponseValidatorResult> delegate = OpenSaml4AuthenticationProvider.createDefaultResponseValidator();
@Override
public Saml2ResponseValidatorResult convert(ResponseToken response) {
Saml2ResponseValidatorResult result = this.delegate.convert(response);
Collection<Saml2Error> errors = result.getErrors().stream()
.filter((error) -> !error.getErrorCode().equals(INVALID_IN_RESPONSE_TO))
.collect(Collectors.toList());
return Saml2ResponseValidatorResult.failure(errors);
}
}
...
@Bean
AuthenticationProvider authenticationProvider(ResponseValidator validator) {
OpenSaml4AuthenticationProvider authenticationProvider =
new OpenSaml4AuthenticationProvider();
authenticationProvider.setResponseValidator(validator);
return authenticationProvider;
}
但是,我建议您首先尝试将 IdP 配置为不包含您不打算验证的信息。建议的替代方案
自定义Saml2AuthenticationRequestsRepository