此版本仍在开发中,尚未被视为稳定版本。对于最新的稳定版本,请使用 Spring Security 6.3.1Spring中文文档

此版本仍在开发中,尚未被视为稳定版本。对于最新的稳定版本,请使用 Spring Security 6.3.1Spring中文文档

Spring Security 可以解析断言方元数据以生成实例,以及从实例发布信赖方元数据AssertingPartyDetailsRelyingPartyRegistrationSpring中文文档

解析元数据<saml2:IDPSSODescriptor>

可以使用 RelyingPartyRegistrations 分析断言方的元数据。Spring中文文档

使用 OpenSAML 供应商支持时,生成的类型为 。 这意味着您可以通过执行以下操作来获取底层 OpenSAML XMLObject:AssertingPartyDetailsOpenSamlAssertingPartyDetailsSpring中文文档

OpenSamlAssertingPartyDetails details = (OpenSamlAssertingPartyDetails)
        registration.getAssertingPartyDetails();
EntityDescriptor openSamlEntityDescriptor = details.getEntityDescriptor();
val details: OpenSamlAssertingPartyDetails =
        registration.getAssertingPartyDetails() as OpenSamlAssertingPartyDetails;
val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor();

生成元数据<saml2:SPSSODescriptor>

可以通过将 添加到筛选器链来发布元数据终结点,如下所示:Saml2MetadataFilterSpring中文文档

DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
        new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(
        relyingPartyRegistrationResolver,
        new OpenSamlMetadataResolver());

http
    // ...
    .saml2Login(withDefaults())
    .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
val relyingPartyRegistrationResolver: Converter<HttpServletRequest, RelyingPartyRegistration> =
    DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)
val filter = Saml2MetadataFilter(
    relyingPartyRegistrationResolver,
    OpenSamlMetadataResolver()
)

http {
    //...
    saml2Login { }
    addFilterBefore<Saml2WebSsoAuthenticationFilter>(filter)
}

可以使用此元数据终结点将信赖方注册到断言方。 这通常就像查找正确的表单字段以提供元数据终结点一样简单。Spring中文文档

默认情况下,元数据终结点为 。 可以通过调用筛选器上的方法来更改此设置:/saml2/service-provider-metadata/{registrationId}setRequestMatcherSpring中文文档

filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"));
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"))

或者,如果已在构造函数中注册了自定义信赖方注册解析程序,则可以指定不带提示的路径,如下所示:registrationIdSpring中文文档

filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata", "GET"))

更改查找 A 的方式RelyingPartyRegistration

若要将自定义项应用于元数据终结点,可以直接在筛选器构造函数中提供它,如下所示:RelyingPartyRegistrationResolverSpring中文文档

RelyingPartyRegistrationResolver myRegistrationResolver = ...;
Saml2MetadataFilter metadata = new Saml2MetadataFilter(myRegistrationResolver, new OpenSamlMetadataResolver());

// ...

http.addFilterBefore(metadata, BasicAuthenticationFilter.class);
Kotlin
val myRegistrationResolver: RelyingPartyRegistrationResolver = ...;
val metadata = new Saml2MetadataFilter(myRegistrationResolver, OpenSamlMetadataResolver());

// ...

http.addFilterBefore(metadata, BasicAuthenticationFilter::class.java);

如果要应用 a 从 URI 中删除 ,则还必须更改筛选器中的 URI,如下所示:RelyingPartyRegistrationResolverregistrationIdSpring中文文档

metadata.setRequestMatcher("/saml2/metadata")
Kotlin
metadata.setRequestMatcher("/saml2/metadata")