Custom SAML Authority Extractor

[mftruso]

Summary

It doesn't appear possible to use AuthenticationManagerBuilder config with Saml2LoginConfigurer to provide a custom Authority extractor.

Actual Behavior

OpenSamlAuthenticationProvider always uses the default implementation for authoritiesExtractor. See https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java#L216-L219

Expected Behavior

Use AuthenticationManagerBuilder to provide OpenSamlAuthenticationProvider with a custom Authority mapper & extractor.

Configuration

Converter<Assertion, Collection<? extends GrantedAuthority>> authoritiesExtractor = (a ->
            singletonList(new SimpleGrantedAuthority("ROLE_SUPERUSER"))
    );

    GrantedAuthoritiesMapper authoritiesMapper = (a -> a);

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        OpenSamlAuthenticationProvider samlAuthProvider = new OpenSamlAuthenticationProvider();
        samlAuthProvider.setAuthoritiesExtractor(authoritiesExtractor);
        samlAuthProvider.setAuthoritiesMapper(authoritiesMapper);
        authenticationManagerBuilder.authenticationProvider(samlAuthProvider);
    }

@Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
		http
			.authorizeRequests()
				.anyRequest().authenticated()
				.and()
			.saml2Login()
				.relyingPartyRegistrationRepository(
						new InMemoryRelyingPartyRegistrationRepository(
							getSaml2AuthenticationConfiguration()
					)
				)
                .successHandler(getCustomLoginSuccessHandler());
		// @formatter:on
    }

Version

• Spring 5.1.6.RELEASE
• Spring Security 5.2.1.RELEASE

Sample

https://github.com/mftruso/spring-security-saml-example/blob/master/src/main/java/com/miketruso/springsecurity/saml/demo/config/SecurityConfig.java

[eleftherias]

Thanks for the report @mftruso.

The reason why the above configuration is not using your custom OpenSamlAuthenticationProvider is because you are configuring saml2Login() as well, which adds its own OpenSamlAuthenticationProvider.
The OpenSamlAuthenticationProvider configured by saml2Login() will process your request first, and therefore the request will not reach the custom OpenSamlAuthenticationProvider.

I have created a new issue gh-7654, to make it easier to set a custom OpenSamlAuthenticationProvider.

As a workaround for the moment, you can use an ObjectPostProcessor.
Here is an example of how it would work with the code you provided.

...
.saml2Login()
    .addObjectPostProcessor(new ObjectPostProcessor<OpenSamlAuthenticationProvider>() {
        public <O extends OpenSamlAuthenticationProvider> O postProcess(
                O samlAuthProvider) {
            samlAuthProvider.setAuthoritiesExtractor(authoritiesExtractor);
            samlAuthProvider.setAuthoritiesMapper(authoritiesMapper);
            return samlAuthProvider;
        }
    });

[mftruso]

Workaround works great! Thanks @eleftherias!

[eleftherias]

I will close this issue, since we have gh-7654 instead and a workaround for the time being.