|
| 1 | +NOTE: This document is a work in progress. Please check back regularly for updates. |
| 2 | + |
| 3 | +This document contains guidance for moving SAML 2.0 Service Providers from Spring Security SAML Extensions 1.x to Spring Security 5.7.x. Since Spring Security doesn’t provide Identity Provider support, migrating a Spring Security SAML Extensions Identity Provider is out of scope for this document. |
| 4 | + |
| 5 | +Because the two approaches are as different as they are, this document will tend to cover patterns more than precise search-and-replace steps. |
| 6 | + |
| 7 | +[[saml2-login-logout]] |
| 8 | +== Login & Logout |
| 9 | + |
| 10 | +=== Changes In Approach |
| 11 | + |
| 12 | +https://github.com/spring-projects/spring-security[Spring Security] takes a slightly different approach from https://github.com/spring-projects/spring-security-saml[Spring Security SAML Extensions] in a few notable ways. |
| 13 | + |
| 14 | +==== Simplified Enablement |
| 15 | + |
| 16 | +Spring Security SAML Extensions support for Service Providers is provided by a series of filters enabled by adding each filter manually in the correct order to various Spring Security filter chains. |
| 17 | + |
| 18 | +Spring Security’s SAML 2.0 Service Provider support is enabled via the Spring Security `saml2Login` and `saml2Logout` DSL methods. It selects the correct filters to add and puts them in the appropriate places in the filter chain. |
| 19 | + |
| 20 | +==== Stronger Encapsulation |
| 21 | + |
| 22 | +Like Spring Security SAML Extensions, Spring Security bases it’s SAML support on OpenSAML. The Extensions project exposes OpenSAML over public interfaces, blurring the lines between the two projects, effectively requiring OpenSAML, and making upgrades to later versions of OpenSAML more complicated. |
| 23 | + |
| 24 | +Spring Security provides stronger encapsulation. No public interfaces expose OpenSAML components and any class that exposes OpenSAML in its public API is named with an `OpenSaml` prefix for additional clarity. |
| 25 | + |
| 26 | +==== Out-of-the-box Multitenancy |
| 27 | + |
| 28 | +Spring Security SAML Extensions offered some lightweight support for declaring more than one Identity Provider and accessing it at login time using the `idp` request parameter. This was limiting as far as changing things at runtime was concerned and also doesn’t allow for a many-to-many relationship between relying and asserting parties. |
| 29 | + |
| 30 | +Spring Security builds SAML 2.0 multitenancy into its default URLs and basic components in the form of a `RelyingPartyRegistration`. This component acts as a link between a Relying Party’s metadata and an Asserting Party’s metadata, and all pairs are available for lookup in a `RelyingPartyRegistrationRepository`. Each URL represents a unique registration pair to be retrieved. |
| 31 | + |
| 32 | +Whether it’s AuthnRequests, Responses, LogoutRequests, LogoutResponses, or EntityDescriptors, each filter is based off of `RelyingPartyRegistrationRepository` and so is fundamentally multi-tenant. |
| 33 | + |
| 34 | +=== Examples Matrix |
| 35 | + |
| 36 | +Both Spring Security and Spring Security SAML Extensions have examples for how to configure the Service Provider: |
| 37 | + |
| 38 | +[options="header"] |
| 39 | +|=== |
| 40 | +| Use case | Spring Security | Spring Security SAML Extension |
| 41 | + |
| 42 | +| Login & Logout | https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/saml2/login[Sample] | |
| 43 | +https://github.com/jzheaux/spring-security-saml-migrate/tree/main/login-logout[Sample] |
| 44 | +| Login using SAML Extension URLs | https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/saml2/custom-urls[Sample] | - |
| 45 | +|=== |
| 46 | + |
| 47 | +You can also see a showcase example in https://github.com/spring-projects/spring-security-saml/tree/main/sample[Spring Security SAML Extension]'s GitHub project. |
| 48 | + |
| 49 | + |
| 50 | +[NOTE] |
| 51 | +==== |
| 52 | +Spring Security does not support HTTP-Redirect binding for SAML 2.0 Responses. |
| 53 | +According to the SAML specification, the HTTP-Redirect binding is not permitted for SAML Responses due to URL length and signature limitations. Attempting to use this binding may result in unexpected errors. |
| 54 | +Use HTTP-POST binding instead when configuring your identity provider. |
| 55 | +==== |
| 56 | + |
| 57 | +[[saml2-metadata]] |
| 58 | +== Metadata |
| 59 | + |
| 60 | +Support for metadata is currently quite simple. Additions to its functionality are under consideration. |
| 61 | + |
| 62 | +`RelyingPartyRegistrations` builds off of the existing multitenancy support and can derive multiple ``RelyingPartyRegistration``s from a single EntityDescriptor endpoint. These can then be paired with locally-configured relying party information as needed. |
| 63 | + |
| 64 | +For applications that require Spring Security SAML Extension’s refreshable metadata feature, please see https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/saml2/refreshable-metadata[the associated Spring Security sample] for how to add. |
| 65 | + |
| 66 | +[[saml2-unported]] |
| 67 | +== Unported Features |
| 68 | + |
| 69 | +There are some features that are not yet ported over and there are as yet no plans to do so: |
| 70 | + |
| 71 | +* HTTP-Redirect binding for SAML 2.0 Responses |
| 72 | +* Artifact binding support |
0 commit comments