SAML2: Support federation with multiple IdPs

[OrangeDog]

A key feature of spring-security-saml2-core was the ability to easily configure multiple metadata providers to configure multiple IdPs from multiple sources and access their details to provide a custom discovery page.

In particular, you can configure a URI for an <EntitiesDescriptor> document, and all the <EntityDescriptor>s within would be configured including any shared keys information. For example, http://metadata.ukfederation.org.uk/ukfederation-metadata.xml describes all the participants in the UK Access Management Federation.

I can't see any way to do this with the current Spring 5 support. RelyingPartyRegistrations.fromMetadataLocation only results in a single RelyingPartyRegistration, and the full entity descriptor does not appear to be available from that - e.g. the <EntityAttributes> and <Extensions>.

It's not even clear that the model of a 1-to-1 binding of relying party (SP) to asserting party (IdP) going to work if there are multiple RelyingPartyRegistrations with the same entityId. I've no idea how the login filter is going to work, for example.

As with the OAuth2 support, I find myself disappointed that the excellent previous library is being EoL'd without sufficient replacement.

• RelyingPartyRegistrations should read all entities #10782
• Consider Adding OpenSamlAssertingPartyDetails #10781

[jzheaux]

@OrangeDog, thanks for the feedback and the suggestions.

It seems like there are multiple asks in here. For this ticket, I'm going to focus on your comments about metadata.

In particular, you can configure a URI for an document, and all the s within would be configured including any shared keys information

By this, I think you are meaning that you'd like to see a component that can read multiple entity definitions from a single metadata endpoint and return multiple RelyingPartyRegistrations. Do I have that right? I think that's a feature worth looking into.

I'm having trouble with the URL you posted since it doesn't appear to work as an HTTPS link. Can you provide an HTTPS URL?

the full entity descriptor does not appear to be available from that

RelyingPartyRegistration is not intended to expose everything in an entity descriptor, only the things that Spring Security needs in order to operate its feature set. Perhaps we should find a way for the resulting RelyingPartyRegistration to contain the original OpenSAML entity descriptor instance so that other attributes can be retrieved.

Either way, this is feeling like a separate ticket. Will you please file a separate ticket for it or correct me if I've misunderstood?

It's not even clear that the model of a 1-to-1 binding of relying party (SP) to asserting party (IdP) going to work

For this comment, I'd recommend filing a ticket in Spring Security Samples. I'd be happy to iterate with you on a sample over there to better see where the gaps are.

[OrangeDog]

Do I have that right?

Correct.

Can you provide an HTTPS URL?

No, they do not provide one. Thus it's also vital that keys can be configured for signature verification.

contain the original OpenSAML entity descriptor instance

Yes please. That's what spring-security-saml does.

a separate ticket

This ticket was intended more as a (very common in my industry) concrete user story. I was going to let the team create whatever specific changes/tasks would be required to achieve it.

[OrangeDog]

I have thought of some other things that spring-security-saml does that block migration to the new version for people in SAML federations.

• Provide the full SAMLCredential when constructing UserDetails instances. Not only so the correct user can be found and authorities can be granted, but so the IdP id can be stored for later SLO if it supports it.
• Use the cacheDuration and validUntil attributes of the EntitiesDescriptor to schedule a refresh of the metadata, independently for each metadata source that provides one