Skip to content

Decouple SAML 2.0 Single Logout from the authenticated principal's type #11338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 10, 2025
Merged

Decouple SAML 2.0 Single Logout from the authenticated principal's type #11338

merged 3 commits into from
Jun 10, 2025

Conversation

chschu
Copy link
Contributor

@chschu chschu commented Jun 6, 2022

Issue gh-10820

When using a custom authenticated principal that does not implement Saml2AuthenticatedPrincipal, the Authentication itself can now implement Saml2AuthenticationInfo to provide the same information.

Making the authenticated principal implement the Saml2AuthenticatedPrincipal interface is not always an option. The authenticated principal can be an opaque Object created and consumed by code completely unaware of Spring Security.

On the other hand, the code that creates a custom Authentication already has Spring Security on the classpath, so implementing Saml2AuthenticationInfo there should always be possible.

The new interface Saml2AuthenticationInfo is currently only used for SAML 2.0 Single Logout. If neither the authenticated principal nor the Authentication itself implements it, SAML 2.0 Single Logout requests won't be detected.

This PR does not change the default behavior. It improves flexibility if OpenSaml4AuthenticationProvider.responseAuthenticationConverter is customized.

@pivotal-cla
Copy link

@chschu Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-cla
Copy link

@chschu Thank you for signing the Contributor License Agreement!

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 6, 2022
@chschu chschu mentioned this pull request Jun 6, 2022
Closed
@chschu chschu force-pushed the feature/gh-10820 branch from e69bea1 to 387f00d Compare June 6, 2022 18:38
jzheaux
jzheaux reviewed Mar 20, 2023
View reviewed changes
.../springframework/security/saml2/provider/service/authentication/Saml2AuthenticationInfo.java Outdated
Copy link
Contributor

@jzheaux jzheaux Mar 20, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not totally clear on why this new interface is needed. Maybe the code instead should check for authentication as well as authentication.getPrincipal being of type Saml2AuthenticatedPrincipal. The code could change to:

if (authentication instanceof Saml2AuthenticatedPrincipal principal) {
    return principal.getRelyingPartyRegistrationId();
}
if (authentication.getPrincipal() instanceof Saml2AuthenticatedPrincipal principal) {
  return principal.getRelyingPartyRegistrationId();
}

It seems like this would achieve what you are wanting without adding a new interface to support. This is nice since there is such a big overlap between Saml2AuthenticatedPrincipal and Saml2AuthenticationInfo's methods.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because an authentication token is not a principal, while both a token and a principal can be sources of SAML information.

You don't want to have Saml2Authentication implements Saml2AuthenticatedPrincipal do you?

@jzheaux
Copy link
Contributor

jzheaux commented Mar 20, 2023

@chschu, I realize it's been a bit since you submitted this PR. I've posted a review; once we are aligned on how to change things, I'm happy to do the legwork to resolve the conflicting files so that you can focus on making the implementation changes.

@jzheaux jzheaux added status: duplicate A duplicate of another issue type: enhancement A general enhancement in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 20, 2023
@Faisul
Copy link

Faisul commented Jul 19, 2024

i had to use this as a work around for now. https://stackoverflow.com/a/78768756/19424868

@jzheaux jzheaux force-pushed the feature/gh-10820 branch from 387f00d to 5a6d5fa Compare June 5, 2025 23:46
@jzheaux jzheaux removed the status: duplicate A duplicate of another issue label Jun 9, 2025
@jzheaux jzheaux added this to the 7.0.0-M1 milestone Jun 9, 2025
chschu added 2 commits June 10, 2025 16:25
@chschu @jzheaux
SAML 2.0 Single Logout Uses Saml2AuthenticationInfo
cdc770c 
This allows SLO to be triggered without the authentication
principal needing to implement a given interface.

Issue spring-projectsgh-10820
@chschu @jzheaux
Add NameID to SAML 2.0 Authentication Info
759c889 
Issue spring-projectsgh-10820
@jzheaux jzheaux force-pushed the feature/gh-10820 branch from de62adc to 79170b9 Compare June 10, 2025 22:41
@jzheaux
Rework Saml2 Authentication Statement
c160801 
This commit separates the authentication principal, the assertion details,
and the relying party tenant into separate components. This allows the
principal to be completely decoupled from how Spring Security triggers and
processes SLO.

Specifically, it adds Saml2AssertionAuthentication, a new authentication
implementation that allows an Object principal and a Saml2ResponseAssertionAccessor
credential. It also moves the relying party registration id from
Saml2AuthenticatedPrincipal to Saml2AssertionAuthentication.

As such, Saml2AuthenticatedPrincipal is now deprecated in favor of
placing its assertion components in Saml2ResponseAssertionAccessor and
the relying party registration id in Saml2AssertionAuthentication.

Closes spring-projectsgh-10820
@jzheaux jzheaux force-pushed the feature/gh-10820 branch from 79170b9 to c160801 Compare June 10, 2025 23:08
@jzheaux jzheaux enabled auto-merge (rebase) June 10, 2025 23:11
@jzheaux
Copy link
Contributor

jzheaux commented Jun 10, 2025
edited
Loading

Thanks, @chschu, for your patience on this PR. I've changed the name of the interface and placed it in the credential instead. In this way, there isn't any expectation for what interface the principal implements in order to inform logout behavior.

It will merge once the build completes.

@jzheaux jzheaux merged commit 9b72437 into spring-projects:main Jun 10, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OrangeDog OrangeDog OrangeDog left review comments

@jzheaux jzheaux jzheaux left review comments

Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Projects
None yet
Milestone
7.0.0-M1
Development

Successfully merging this pull request may close these issues.
6 participants
@chschu @pivotal-cla @jzheaux @Faisul @OrangeDog @spring-projects-issues