对于最新的稳定版本,请使用 Spring Security 6.4.1spring-doc.cn

Saml 2.0 元数据

Spring Security 可以解析断言方元数据以生成实例,以及从实例发布依赖方元数据AssertingPartyDetailsRelyingPartyRegistrationspring-doc.cn

解析元数据<saml2:IDPSSODescriptor>

您可以使用 RelyingPartyRegistrations 解析断言方的元数据。spring-doc.cn

使用 OpenSAML 供应商支持时,结果将为 . 这意味着您将能够通过执行以下操作来获取底层 OpenSAML XMLObject:AssertingPartyDetailsOpenSamlAssertingPartyDetailsspring-doc.cn

OpenSamlAssertingPartyDetails details = (OpenSamlAssertingPartyDetails)
        registration.getAssertingPartyDetails();
EntityDescriptor openSamlEntityDescriptor = details.getEntityDescriptor();
val details: OpenSamlAssertingPartyDetails =
        registration.getAssertingPartyDetails() as OpenSamlAssertingPartyDetails;
val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor();

生成元数据<saml2:SPSSODescriptor>

您可以通过将 添加到筛选条件链来发布元数据终端节点,如下所示:Saml2MetadataFilterspring-doc.cn

DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
        new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(
        relyingPartyRegistrationResolver,
        new OpenSamlMetadataResolver());

http
    // ...
    .saml2Login(withDefaults())
    .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
val relyingPartyRegistrationResolver: Converter<HttpServletRequest, RelyingPartyRegistration> =
    DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)
val filter = Saml2MetadataFilter(
    relyingPartyRegistrationResolver,
    OpenSamlMetadataResolver()
)

http {
    //...
    saml2Login { }
    addFilterBefore<Saml2WebSsoAuthenticationFilter>(filter)
}

您可以使用此元数据终端节点向断言方注册您的信赖方。 这通常就像找到正确的表单字段来提供元数据端点一样简单。spring-doc.cn

默认情况下,元数据端点为 . 您可以通过调用过滤器上的方法来更改此设置:/saml2/service-provider-metadata/{registrationId}setRequestMatcherspring-doc.cn

filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"));
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"))

或者,如果您已在构造函数中注册了自定义信赖方注册解析程序,则可以指定一个不带提示的路径,如下所示:registrationIdspring-doc.cn

filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata", "GET"))

更改查找 A 的方式RelyingPartyRegistration

要将自定义应用于元数据终端节点,您可以直接在过滤器构造函数中提供它,如下所示:RelyingPartyRegistrationResolverspring-doc.cn

RelyingPartyRegistrationResolver myRegistrationResolver = ...;
Saml2MetadataFilter metadata = new Saml2MetadataFilter(myRegistrationResolver, new OpenSamlMetadataResolver());

// ...

http.addFilterBefore(metadata, BasicAuthenticationFilter.class);
Kotlin
val myRegistrationResolver: RelyingPartyRegistrationResolver = ...;
val metadata = new Saml2MetadataFilter(myRegistrationResolver, OpenSamlMetadataResolver());

// ...

http.addFilterBefore(metadata, BasicAuthenticationFilter::class.java);

如果要应用 a 从 URI 中删除 ,则还必须更改过滤器中的 URI,如下所示:RelyingPartyRegistrationResolverregistrationIdspring-doc.cn

metadata.setRequestMatcher("/saml2/metadata")
Kotlin
metadata.setRequestMatcher("/saml2/metadata")