Skip to content

Allow a SAML2 relying party registration's decryption X509 credentials to be configured via application properties #23705

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dawi opened this issue Oct 15, 2020 · 6 comments
Closed

Allow a SAML2 relying party registration's decryption X509 credentials to be configured via application properties #23705

dawi opened this issue Oct 15, 2020 · 6 comments
Assignees
@snicoll
Labels
type: enhancement A general enhancement
Milestone
2.4.0-RC1

Comments

@dawi
Copy link

dawi commented Oct 15, 2020

Saml2RelyingPartyRegistrationConfiguration does not support setting of decryptionX509Credentials.

Via Java Config it is possible to set decryption credentials like this:

final RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
    .fromMetadataLocation("http://localhost:8081/auth/realms/DemoRealm/protocol/saml/descriptor")
    .registrationId("demo-saml-client")
    .entityId("demo-saml-client")
    .signingX509Credentials(c -> c.add(getSigningCredential()))
    .decryptionX509Credentials(c -> c.add(getDecryptionCredential()))
    .build();

Unfortunately this is not possible via Spring Boot application.properties.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 15, 2020
@wilkinsona wilkinsona changed the title Saml2RelyingPartyRegistrationConfiguration does not support setting of decryptionX509Credentials Allow a SAML2 relying party registration's decryption X509 credentials to be configured via application properties Oct 15, 2020
@wilkinsona wilkinsona added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 15, 2020
@wilkinsona wilkinsona added this to the 2.4.x milestone Oct 15, 2020
@dawi
Copy link
Author

dawi commented Oct 19, 2020

I have two more annotations:

  • It's also not posible to set the assertionConsumerServiceBinding.
  • Maybe relying-party-entity-id could be named entity-id.
    since the other relying party properties are also not prefixed
    and IDPs entity-id is also not named identity-provider-entity-id.

@wilkinsona wilkinsona mentioned this issue Oct 19, 2020
Closed
@wilkinsona
Copy link
Member

wilkinsona commented Oct 19, 2020
edited
Loading

Thanks. We prefer to keep issues small and focussed if we can so I've opened #23745 and #23746 for those two.

@snicoll
Copy link
Member

snicoll commented Oct 26, 2020

Actually, we used to configure both signing and decryption with the existing configuration property but the use of credentials is deprecated in Spring Security 5.4 so no introducing the separate property seems to be an oversight.

See also spring-projects/spring-security@56928f6

@snicoll snicoll self-assigned this Oct 26, 2020
@snicoll snicoll modified the milestones: 2.4.x, 2.4.0-RC1 Oct 26, 2020
@snicoll
Copy link
Member

snicoll commented Oct 26, 2020

@dawi this will be available in 2.4.0-SNAPSHOT shortly. If you have time, I'd appreciate if you could give the snapshot a try. Thanks!

@dawi
Copy link
Author

dawi commented Oct 27, 2020

@snicoll I could successfully authenticate against Keycloak with Encrypt Assertions enabled. :)

@snicoll
Copy link
Member

snicoll commented Oct 27, 2020

@dawi thanks for trying it out!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@snicoll snicoll

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
2.4.0-RC1
Development

No branches or pull requests
4 participants
@dawi @snicoll @wilkinsona @spring-projects-issues