Geek Answers Handbook

Add request parameter to SAML request using Spring Security SAML

I need to add a query parameter (e.g. locale = en) to a SAML request so that the login page displays in the correct language. How to do it?

I tried adding an attribute to the HttpServletRequest sent as an argument to the begin (SamlEntryPoint) method, but this does not work.

Any suggestions?

+1
spring saml
source share
1 answer

SAML provides a standard mechanism for expanding the content sent in authentication requests - the Extensions element.

To use it, you will need to coordinate with your IDP what data you send and in what format. In Spring SAML, you can customize your content by extending the WebSSOProfileImpl class, for example, as follows:

 package com.v7security.saml; import org.opensaml.common.SAMLException; import org.opensaml.saml2.common.Extensions; import org.opensaml.saml2.common.impl.ExtensionsBuilder; import org.opensaml.saml2.core.AuthnRequest; import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.xml.schema.XSAny; import org.opensaml.xml.schema.impl.XSAnyBuilder; import org.springframework.security.saml.context.SAMLMessageContext; import org.springframework.security.saml.websso.WebSSOProfileImpl; import org.springframework.security.saml.websso.WebSSOProfileOptions; /** * Class adds additional extensions element to the AuthnRequest sent to IDP. */ public class WebSSOProfile extends WebSSOProfileImpl { @Override protected AuthnRequest getAuthnRequest(SAMLMessageContext context, WebSSOProfileOptions options, AssertionConsumerService assertionConsumer, SingleSignOnService bindingService) throws SAMLException, MetadataProviderException { AuthnRequest authnRequest = super.getAuthnRequest(context, options, assertionConsumer, bindingService); authnRequest.setExtensions(buildExtensions()); return authnRequest; } protected Extensions buildExtensions() { XSAny languageClass = new XSAnyBuilder().buildObject("http://www.v7security.com/schema/2015/04/request", "RequestLanguage", "req"); languageClass.setTextContent("urn:v7security:request:lang:english"); Extensions extensions = new ExtensionsBuilder().buildObject(); extensions.getUnknownXMLObjects().add(languageClass); return extensions; } }

Another option is to send data to relayState , which is part of the information that the SP can send to the IDP and expect it to be returned (usually the state of the SP). The value should be opaque to the IDP, but, of course, it can handle it, for example, the way you plan. For more information on setting the relay status, see the chapter in the chapter on initialized SSO SP in the manual .

The request parameter parameters on the HttpRequest object should not give any result, Spring SAML does not pass them in any way.

You can add an HTTP parameter for a request sent with an HTTP Redirect binding by extending the HTTPRedirectDeflateEncoder class and the buildRedirectURL override buildRedirectURL . Then a new class can be added to the HTTPRedirectDeflateBinding constructor and replaced with a bean redirectBinding of securityContext.xml as follows:

 <bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding"> <constructor-arg> <bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder"> <constructor-arg name="pool" ref="parserPool"/> </bean> </constructor-arg> <constructor-arg> <bean class="com.custom.HTTPRedirectDeflateEncoder"/> </constructor-arg> </bean>
+3
source share

More articles:


All Articles