Skip to content

SAML2 AuthnResponse custom type values are not mapped to Saml2AuthenticatedPrincipal #9696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
leneinz opened this issue Apr 30, 2021 · 5 comments
Closed

SAML2 AuthnResponse custom type values are not mapped to Saml2AuthenticatedPrincipal #9696

leneinz opened this issue Apr 30, 2021 · 5 comments
Assignees
@igorpele
Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement

Comments

@leneinz
Copy link

leneinz commented Apr 30, 2021
edited
Loading

My current authentication is working and i get values in my DefaultSaml2AuthenticationProvider but somehow i cant find these values.:

        <saml2:AttributeValue xmlns:example="http://www.example.de/schema/something/saml/extensions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="example:CustomType">
          <example:name>Springy</example:name>
        </saml2:AttributeValue>
@leneinz leneinz added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 30, 2021
@jzheaux
Copy link
Contributor

jzheaux commented Apr 30, 2021

Thanks for the report, @leneinz.

I think I'll need more information to help you get to the root of the problem. Would you please share a minimal sample that reproduces the issue? It would be helpful if the minimal sample included a sample SAML response that's not working as expected.

@jzheaux jzheaux self-assigned this Apr 30, 2021
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 30, 2021
@leneinz
Copy link
Author

leneinz commented May 5, 2021

Hi , i had to ask the legal team before i made this response public, sorry for the delay.:
I changed the names and URIs a bit..

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://example.com/something/sso/acs" ID="_123123123123132"
InResponseTo="_456456456465456" IssueInstant="2021-04-29T12:30:48.721Z"
Version="2.0">
  <saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://id.example.com</
saml2:Issuer>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_a957ef3c9ef293e3ad8a09a012c913a6bc63db74"
IssueInstant="2021-04-29T12:30:48.719Z" Version="2.0">
    <saml2:Issuer>https://id.example.com</saml2:Issuer>
    <saml2:Subject>
      <saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">ab-abcdefc4564
56878978945456</saml2:NameID>
      <saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData
InResponseTo="_025da7c63e568afbed6277b6b8a5e08a82c6d99f"
NotOnOrAfter="2021-04-29T12:35:48.721Z"
Recipient="https:/example.com/something/sso/acs"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotOnOrAfter="2021-04-29T12:35:48.719Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>urn:com:example:demo</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2021-04-29T12:30:48.719Z">
      <saml2:AuthnContext>
 
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</sam
l2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
      <saml2:Attribute Name="Address">
        <saml2:AttributeValue
xmlns:myType="http://www.example.com/schema/myType/saml/extensions"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="myType:AdresseType">
          <myType:Street>Some Nice Street</myType:Street>
          <myType:Number>6</myType:Number>
          <myType:ZIP>12354</myType:ZIP>
          <myType:City>Nicetown</myType:City>
          <myType:Country>DE</myType:Country>
        </saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels May 5, 2021
@jzheaux
Copy link
Contributor

jzheaux commented May 17, 2021

When it comes to processing custom types, OpenSAML recommends a custom unmarshaller.

But, OpenSaml4AuthenticationProvider ignores custom types in getXmlObjectValue. I think it makes sense to change getXmlObjectValue to return xmlObject instead of null so that it doesn't ignore custom types.

Are you able to submit a PR to change that and then add a test that uses a custom unmarshaller?

In the meantime, you can parse custom attributes yourself by using a custom authentication converter like so:

OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
Converter<ResponseToken, Saml2Authentication> authenticationConverter =
        createDefaultResponseAuthenticationConverter();
provider.setResponseAuthenticationConverter((responseToken) -> {
    Saml2Authentication authentication = authenticationConverter.convert(responseToken);
    Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
    Map<String, List<Object>> attributes = new LinkedHashMap<>(principal.getAttributes());
    attributes.put("Address", parseAddressFromResponse(response));
    principal = new DefaultSaml2AuthenticatedPrincipal(authentication.getName(), 
            attributes);
    return new Saml2Authentication(principal, authentication.getSaml2Response(), 
            authentication.getAuthorities());
});

@jzheaux jzheaux added type: enhancement A general enhancement and removed type: bug A general bug labels May 17, 2021
@jzheaux jzheaux added status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: feedback-provided Feedback has been provided labels Dec 10, 2021
@igorpele
Copy link
Contributor

igorpele commented Jan 26, 2022
edited
Loading

Hi I would like to have a look at this issue. Thanks. Cheers

@jzheaux
Copy link
Contributor

jzheaux commented Jan 26, 2022

Thanks, @igorpele, it's yours.

@jzheaux jzheaux assigned igorpele and unassigned jzheaux Jan 26, 2022
@jzheaux jzheaux added in: saml2 An issue in SAML2 modules and removed status: ideal-for-contribution An issue that we actively are looking for someone to help us with labels Jan 26, 2022
@igorpele igorpele mentioned this issue Feb 4, 2022
Closed
igorpele pushed a commit to igorpele/spring-security that referenced this issue Feb 4, 2022
Add OpenSaml custom types to Saml2AuthenticatedPrincipal
27aa66f 
OpenSaml custom types are added to Saml2AutehnticatedPrincipal as
attributes.

Closes spring-projectsgh-9696
jzheaux pushed a commit that referenced this issue Feb 5, 2022
@jzheaux
Add OpenSaml custom types to Saml2AuthenticatedPrincipal
3cc7f38 
OpenSaml custom types are added to Saml2AutehnticatedPrincipal as
attributes.

Closes gh-9696
jzheaux added a commit that referenced this issue Feb 5, 2022
@jzheaux
Polish Testing for Custom Attributes Values
70bb588 
- Moved construction and management of custom objects
into TestCustomOpenSamlObjects

Issue gh-9696
jzheaux added a commit that referenced this issue Feb 5, 2022
@jzheaux
Fix Checkstyle Error
5c4178b 
Issue gh-9696
@jzheaux jzheaux closed this as completed in f626d11 Feb 5, 2022
jzheaux added a commit that referenced this issue Feb 5, 2022
@jzheaux
Polish Testing for Custom Attributes Values
e8be907 
- Moved construction and management of custom objects
into TestCustomOpenSamlObjects

Issue gh-9696
jzheaux added a commit that referenced this issue Feb 5, 2022
@jzheaux
Fix Checkstyle Error
28747ca 
Issue gh-9696
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@igorpele igorpele

Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add OpenSaml custom types to Saml2AuthenticatedPrincipal igorpele/spring-security
4 participants
@igorpele @jzheaux @spring-projects-issues @leneinz