Configure POST ProtocolBinding in Spring Security

2020-07-13 07:39发布

问题:

Spring Security SAML insists on requesting the Artifact binding in the SAML authentication request (ProtocolBinding attribute):

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 AssertionConsumerServiceURL="http://sp.com/saml/SSO/alias/defaultAlias"
                 Destination="https://idp.com/idp"
                 ForceAuthn="false"
                 ID="a4acj06d42fdc0d3494h859g3f7005c"
                 IsPassive="false"
                 IssueInstant="2012-12-05T17:07:18.271Z"
                 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                 Version="2.0"
                 >

How can I configure POST binding instead? Thanks for any answers!

-- Andreas

回答1:

Thanks nobby and Sanjeev, I've recently applied this to a similar case and it put me on the right track.

Being very new to the Spring Security SAML2 extension, I had to do a little extra digging around to get the WebSSOProfileOptions applied. Essentially to get an HTTP-POST binding on the SAML authentication request you need the profile options passed to the org.springframework.security.saml.websso.WebSSOProfileImpl#sendAuthenticationRequest() method.

For our config, which is very similar to the config in the Spring RC2 sample project, this meant passing the WebSSOProfileOptions bean as described in Sanjeev's solution to the samlEntryPoint.defaultProfileOptions property (or adding a binding property there).

Trouble is, this did not result in the AuthnRequest picking up the binding property as set. In our case our SAML metadata was specifying isDefault=true on the HTTP-Artifact bound AssertionConsumerService. And in our RC2 version of the Spring Security SAML2 library this is the default behaviour of the org.springframework.security.saml.metadata.MetadataGenerator.

This can be overridden by setting the assertionConsumerIndex property of the MetadataGenerator. The HTTP Post assertion consumer gets configured at index 1 in our case.

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
   <constructor-arg>
      <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
         <property name="assertionConsumerIndex" value="1" /><!-- 1=HTTP-POST -->
      </bean>
   </constructor-arg>
</bean>


回答2:

In the securityContext.xml sp-initiated binding can be set. Example below used HTTP-POST

 <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
                <property name="includeScoping" value="false"/>
                <property name="binding" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            </bean>

Values of bindings can be found in org.opensaml.common.xml.SAMLConstants class.