对于最新的稳定版本,请使用 Spring Security 6.4.1spring-doc.cadn.net.cn

Saml 2.0 元数据

Spring Security 可以解析断言方元数据以生成AssertingPartyDetails实例以及RelyingPartyRegistration实例。spring-doc.cadn.net.cn

解析<saml2:IDPSSODescriptor>元数据

您可以解析断言方的元数据RelyingPartyRegistrations.spring-doc.cadn.net.cn

使用 OpenSAML 供应商支持时,生成的AssertingPartyDetails将为OpenSamlAssertingPartyDetails. 这意味着您将能够通过执行以下作来获取底层 OpenSAML XMLObject:spring-doc.cadn.net.cn

OpenSamlAssertingPartyDetails details = (OpenSamlAssertingPartyDetails)
        registration.getAssertingPartyDetails();
EntityDescriptor openSamlEntityDescriptor = details.getEntityDescriptor();
val details: OpenSamlAssertingPartyDetails =
        registration.getAssertingPartyDetails() as OpenSamlAssertingPartyDetails;
val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor();

生产<saml2:SPSSODescriptor>元数据

您可以通过添加Saml2MetadataFilter添加到过滤器链中,如下所示:spring-doc.cadn.net.cn

DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
        new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(
        relyingPartyRegistrationResolver,
        new OpenSamlMetadataResolver());

http
    // ...
    .saml2Login(withDefaults())
    .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
val relyingPartyRegistrationResolver: Converter<HttpServletRequest, RelyingPartyRegistration> =
    DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)
val filter = Saml2MetadataFilter(
    relyingPartyRegistrationResolver,
    OpenSamlMetadataResolver()
)

http {
    //...
    saml2Login { }
    addFilterBefore<Saml2WebSsoAuthenticationFilter>(filter)
}

您可以使用此元数据终端节点向断言方注册您的信赖方。 这通常就像找到正确的表单字段来提供元数据端点一样简单。spring-doc.cadn.net.cn

默认情况下,元数据端点为/saml2/service-provider-metadata/{registrationId}. 您可以通过调用setRequestMatcher方法:spring-doc.cadn.net.cn

filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"));
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"))

或者,如果您已在构造函数中注册了自定义信赖方注册解析程序,则可以指定一个不带registrationId提示,如下所示:spring-doc.cadn.net.cn

filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata", "GET"))

改变方式RelyingPartyRegistration被查找

应用自定义RelyingPartyRegistrationResolver对于元数据端点,您可以直接在 Filter 构造函数中提供它,如下所示:spring-doc.cadn.net.cn

RelyingPartyRegistrationResolver myRegistrationResolver = ...;
Saml2MetadataFilter metadata = new Saml2MetadataFilter(myRegistrationResolver, new OpenSamlMetadataResolver());

// ...

http.addFilterBefore(metadata, BasicAuthenticationFilter.class);
Kotlin
val myRegistrationResolver: RelyingPartyRegistrationResolver = ...;
val metadata = new Saml2MetadataFilter(myRegistrationResolver, OpenSamlMetadataResolver());

// ...

http.addFilterBefore(metadata, BasicAuthenticationFilter::class.java);

如果您应用RelyingPartyRegistrationResolver要删除registrationId从 URI 中,您还必须更改过滤器中的 URI,如下所示:spring-doc.cadn.net.cn

metadata.setRequestMatcher("/saml2/metadata")
Kotlin
metadata.setRequestMatcher("/saml2/metadata")