SAML2 customizable URLs #8873
Comments
JoakimLofgren
added
status: waiting-for-triage
|
@JoakimLofgren I think it makes sense to simplify configuring the URL for creating an AuthnRequest. If we follow the pattern established in http
.saml2Login(saml2 -> saml2
.authenticationRequestEndpoint(authn -> authn
.baseUri(myCustomUri)
)
);Then that would be quite similar to: http
.oauth2Login(oauth2 -> oauth2
.authorizationEndpoint(authz -> authz
.baseUri(myCustomUri)
)
);Would you be able to submit a PR along those lines to enhance the DSL? It would also be quite nice to update the Kotlin DSL while you are at it. |
jzheaux
added
in: saml2
|
Sure. After #8864 is finished. |
spring-projects-issues
added
status: feedback-provided
|
After a bit more experimentation with it, I think the following is easier to read: http
.saml2Login(saml2 -> saml2
.loginProcessingUrl("/saml2/response/{registrationId}")
.authenticationRequestUri("/saml2/request/{registrationId}")
);I like it because it has less hierarchy. |
|
@JoakimLofgren are you still able to contribute a PR to add support for configuring the |
jzheaux
added
the
status: ideal-for-contribution
|
Hey, I am kind of stuck on being not able to change default entityId & replyUrl in AuthRequest. My SP is running on http, so the urls for entityId & replyUrl are being generated for http. But by making some firewall changes, publicly website access is only by https. So basically I want the urls in AuthRequest to be https. |
|
@chelseakohli, this would probably be better as a StackOverflow question, so please consider posting there if my answer here doesn't address your question and also update your comment with the StackOverflow link. You can customize the @Bean
Saml2AuthenticationRequestFactory authenticationRequestFactory() {
OpenSamlAuthenticationRequestFactory factory =
new OpenSamlAuthenticationRequestFactory();
factory.setAuthenticationRequestContextConverter((context) -> {
// construct the AuthnRequest
});
} |
|
Hi. Is any updates on this? Seems like the suggestions above hasn't been applied to 5.6.0-RC yet.. Any workaround on this ?(e.g. using withObjectPostProcessor ?) Thank you. |
|
@fr2lancer Field parent = ReflectionUtils.findField(saml.getClass(), "authenticationRequestEndpoint");
parent.setAccessible(true);
Field child = ReflectionUtils.findField(parent.getType(), "filterProcessingUrl");
child.setAccessible(true);
ReflectionUtils.setField(child, ReflectionUtils.getField(parent, saml),
SAML_PATH + "/login");
parent.setAccessible(false);
child.setAccessible(false);
saml.addObjectPostProcessor(
new ObjectPostProcessor<Saml2WebSsoAuthenticationRequestFilter>() {
@Override
public <O extends Saml2WebSsoAuthenticationRequestFilter> O postProcess(O object) {
object.setRedirectMatcher(new AntPathRequestMatcher(SAML_PATH + "/login"));
return object;
}
}); |
|
Could we also have this fields customizable? Because we want to make logout requests by ajax post and JS can't control 302 redirects. |
|
@denis111 please log a separate issue regarding customizing the redirect strategy. |
|
Any progress? |
@JoakimLofgren, I've created #10840 to specifically address the authentication request URI. Are there any other endpoints that you would like to see addressed? If not, I'll close this issue in favor of #10840. |
jzheaux
added
status: waiting-for-feedback
|
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
spring-projects-issues
added
the
status: feedback-reminder
|
Sounds good. 👍 |
jzheaux
removed
status: waiting-for-feedback
Expected Behavior
I want to be able to change all SAML2 URLs to be able to e.g. add a prefix.
Current Behavior
Some URLs are customizable, like
Saml2LoginConfigurer.loginProcessingUrl.While some are not, e.g.
Saml2LoginConfigurer.AuthenticationRequestEndpointConfig.filterProcessingUrl(/saml2/authenticate/{registrationId}).Context
A workaround for adding a path prefix is using the
server.servlet.context-path.But this doesn't work if you want to tweak URLs to be similar to an already existing solution created with the old SAML module.
Although assuming you want
/authas a prefix, and after login you want to redirect to the root/and not/auth/,you cannot use the default success handler. You need to create a custom one with a redirect strategy which is not context relative.
The text was updated successfully, but these errors were encountered: