For the latest stable version, please use Spring Security 6.3.3!spring-doc.cn

For the latest stable version, please use Spring Security 6.3.3!spring-doc.cn

Spring Security can parse asserting party metadata to produce an AssertingPartyDetails instance as well as publish relying party metadata from a RelyingPartyRegistration instance.spring-doc.cn

Parsing <saml2:IDPSSODescriptor> metadata

You can parse an asserting party’s metadata using RelyingPartyRegistrations.spring-doc.cn

When using the OpenSAML vendor support, the resulting AssertingPartyDetails will be of type OpenSamlAssertingPartyDetails. This means you’ll be able to do get the underlying OpenSAML XMLObject by doing the following:spring-doc.cn

OpenSamlAssertingPartyDetails details = (OpenSamlAssertingPartyDetails)
        registration.getAssertingPartyDetails();
EntityDescriptor openSamlEntityDescriptor = details.getEntityDescriptor();
val details: OpenSamlAssertingPartyDetails =
        registration.getAssertingPartyDetails() as OpenSamlAssertingPartyDetails;
val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor();

Producing <saml2:SPSSODescriptor> Metadata

You can publish a metadata endpoint using the saml2Metadata DSL method, as you’ll see below:spring-doc.cn

http
    // ...
    .saml2Login(withDefaults())
    .saml2Metadata(withDefaults());
http {
    //...
    saml2Login { }
    saml2Metadata { }
}

You can use this metadata endpoint to register your relying party with your asserting party. This is often as simple as finding the correct form field to supply the metadata endpoint.spring-doc.cn

By default, the metadata endpoint is /saml2/metadata, though it also responds to /saml2/metadata/{registrationId} and /saml2/service-provider-metadata/{registrationId}.spring-doc.cn

You can change this by calling the metadataUrl method in the DSL:spring-doc.cn

.saml2Metadata((saml2) -> saml2.metadataUrl("/saml/metadata"))
saml2Metadata {
	metadataUrl = "/saml/metadata"
}

Changing the Way a RelyingPartyRegistration Is Looked Up

If you have a different strategy for identifying which RelyingPartyRegistration to use, you can configure your own Saml2MetadataResponseResolver like the one below:spring-doc.cn

@Bean
Saml2MetadataResponseResolver metadataResponseResolver(RelyingPartyRegistrationRepository registrations) {
	RequestMatcherMetadataResponseResolver metadata = new RequestMatcherMetadataResponseResolver(
			(id) -> registrations.findByRegistrationId("relying-party"));
	metadata.setMetadataFilename("metadata.xml");
	return metadata;
}
@Bean
fun metadataResponseResolver(val registrations: RelyingPartyRegistrationRepository): Saml2MetadataResponseResolver {
    val metadata = new RequestMatcherMetadataResponseResolver(
			id: String -> registrations.findByRegistrationId("relying-party"))
	metadata.setMetadataFilename("metadata.xml")
	return metadata
}