Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security SAML: Extract Attributes from a saml2p:Response as user attributes

I have been digging into spring security yaml a little bit yesterday to make it work with Okta SAML. Logging in works, but the response XML contains user attributes that apparently cannot be extracted automatically into an attribute map. The response contains a fields like this

<saml2:Attribute Name="user.lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
    Surname
  </saml2:AttributeValue>
</saml2:Attribute>

Once an authentication is successful, I would like to put those in the authentication information. When logging in via github/oauth, the OAuth2AuthenticatedPrincipal class has an attributes map, however the Saml2AuthenticatedPrincipal only features a name.

What would be the correct way to solve this?

Right now I am thinking of a custom AuthenticationSuccessHandler that populates a custom Saml2AuthenticatedPrincipalWithAttributes class which contains all the attributes by parsing the provided XML response (via .getDetails()) a second time (or put them into the session).

I have a hunch that this is probably not the spring way to do things and would love to get a second opinion. When googling around you mainly find examples of spring security saml, before it got merged into spring security, which seems to handle things a little bit different, as the mentioned classes do not exist anymore.

Thanks for helping everyone!

like image 897
alr Avatar asked Oct 16 '22 03:10

alr


1 Answers

In the next release of Spring Security (5.4.0) you should be able to do something like this:

@GetMapping("/")
public String index(Model model,
    @AuthenticationPrincipal Saml2AuthenticatedPrincipal principal) {
    String emailAddress = principal.getFirstAttribute("emailAddress");
    model.addAttribute("emailAddress", emailAddress);
    model.addAttribute("userAttributes", principal.getAttributes());
    return "index";
}

For now, I don't know a better workaround than yours.

like image 108
kostic017 Avatar answered Nov 15 '22 08:11

kostic017