Menu
I am using Spring Security v5.5.1 SAML2 code for SAML support. I have a working solution using the older Spring security extension, but I am "upgrading".
I have the SP initiated and IDP initiated flows working, but I cannot figure out how to configure the success handler redirect URL. It defaults to "/". I do not understand how I can access the Saml2WebSsoAuthenticationFilter and/or the SavedRequestAwareAuthenticationSuccessHandler to override the URL.
I set a default RelayState on the IDP and it does get sent with the assertions, but Spring does not appear to use it.
Also, using the older extension, I could store the SAML request in a DB and retrieve it when the response comes in since my app does not use sessions. I have not found a way to do the same here.
Here are my auth provider and relaying party registration as gleened from the docs and samples I found:
OpenSaml4AuthenticationProvider authenticationProvider = new OpenSaml4AuthenticationProvider();
authenticationProvider.setAssertionValidator( OpenSaml4AuthenticationProvider.createDefaultAssertionValidator( assertionToken -> {
Map<String, Object> params = new HashMap<>();
params.put( CLOCK_SKEW, Duration.ofMinutes(10).toMillis());
String recipient = assertionToken.getToken().getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
params.put( SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, Collections.singleton(recipient));
String audience = assertionToken.getToken().getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
params.put( SAML2AssertionValidationParameters.COND_VALID_AUDIENCES, Collections.singleton( "blah"));
return new ValidationContext( params);
})
);
Converter<HttpServletRequest, RelyingPartyRegistration> relyingPartyRegistrationResolver =
new DefaultRelyingPartyRegistrationResolver( relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(
relyingPartyRegistrationResolver,
new OpenSamlMetadataResolver());
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers( "/saml2/**").permitAll()
.antMatchers( "/login/**").permitAll()
.and()
.saml2Login( saml2 -> saml2.authenticationManager( new ProviderManager( authenticationProvider)))
.addFilterBefore( filter, Saml2WebSsoAuthenticationFilter.class);
RelyingPartyRegistration registration = RelyingPartyRegistration
.withRegistrationId("blah")
.assertionConsumerServiceLocation( getAssertionRecipient( environment, "blah"))
.signingX509Credentials( c -> c.add( credentialSp))
.decryptionX509Credentials( c -> c.add( decryptSp))
.assertingPartyDetails(party -> party
.entityId("blah")
.singleSignOnServiceLocation("https://sso.stuff/samlstuff")
.wantAuthnRequestsSigned( false)
.verificationX509Credentials( c -> c.add( credential))
)
.build();
I imagine that I can do the same as before somehow, but for all the docs that are supplied, it is difficult to make sense of much of it.
Thank you!
352
asked Nov 04 '25 11:11
Maybe you should try a .successHandler(<my_successhandler>)
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers( "/saml2/**").permitAll()
.antMatchers( "/login/**").permitAll()
.and()
.saml2Login()
.successHandler(mySamlLoginSuccessHandler)
with
class MySamlLoginSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
MySamlLoginSuccessHandler() {
super('/path/to/success')
}
}
Try something like this it worked for me. .saml2Login( saml2 -> {saml2.authenticationManager( new ProviderManager( authenticationProvider); saml2.defaultSuccessUrl("url") }))
36
answered Nov 06 '25 03:11
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With