Add Registration to Saml2Authentication

jzheaux · jzheaux · commit efe42b93cec4 · 2021-04-10T00:12:38.000-06:00
Closes gh-9487
diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc
@@ -107,6 +107,7 @@ where
 * `https://idp.example.com/issuer` is the value contained in the `Issuer` attribute of the SAML responses that the identity provider will issue
 * `classpath:idp.crt` is the location on the classpath for the identity provider's certificate for verifying SAML responses, and
 * `https://idp.example.com/issuer/sso` is the endpoint where the identity provider is expecting `AuthnRequest` s.
+* `adfs` is <<servlet-saml2login-relyingpartyregistrationid, an arbitrary identifier you choose>>
 
 And that's it!
 
@@ -190,6 +191,7 @@ image:{icondir}/number_10.png[] And finally, it takes the `NameID` from the firs
 Then, it places that principal and the authorities into a `Saml2Authentication`.
 
 The resulting `Authentication#getPrincipal` is a Spring Security `Saml2AuthenticatedPrincipal` object, and `Authentication#getName` maps to the first assertion's `NameID` element.
+`Saml2Authentication#getRelyingPartyRegistrationId` holds the <<servlet-saml2login-relyingpartyregistrationid,identifier to the associated `RelyingPartyRegistration`>>.
 
 [[servlet-saml2login-opensaml-customization]]
 ==== Customizing OpenSAML Configuration
@@ -230,7 +232,7 @@ static {
 				authnRequest.setForceAuthN(true);
             }
 		}
-		
+
 	    factory.getMarshallerFactory().registerMarshaller(AuthnRequest.DEFAULT_ELEMENT_NAME, marshaller);
 	});
 }
@@ -342,6 +344,10 @@ public RelyingPartyRegistrationRepository relyingPartyRegistrations() {
 ----
 ====
 
+[[servlet-saml2login-relyingpartyregistrationid]]
+[NOTE]
+The `registrationId` is an arbitrary value that you choose for differentiating between registrations.
+
 Or you can provide each detail manually, as you can see below:
 
 .Relying Party Registration Repository Manual Configuration
diff --git a/saml2/saml2-service-provider/core/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java b/saml2/saml2-service-provider/core/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java
@@ -22,6 +22,7 @@
 import org.springframework.security.core.AuthenticatedPrincipal;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.Assert;
 
 /**
@@ -41,14 +42,40 @@ public class Saml2Authentication extends AbstractAuthenticationToken {
 
 	private final String saml2Response;
 
+	private final String relyingPartyRegistrationId;
+
+	/**
+	 * Construct a {@link Saml2Authentication} using the provided parameters
+	 * @param principal the logged in user
+	 * @param saml2Response the SAML 2.0 response used to authenticate the user
+	 * @param authorities the authorities for the logged in user
+	 * @deprecated Use
+	 * {@link #Saml2Authentication(AuthenticatedPrincipal, String, Collection, String)}
+	 */
+	@Deprecated
 	public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response,
 			Collection<? extends GrantedAuthority> authorities) {
+		this(principal, saml2Response, authorities, null);
+	}
+
+	/**
+	 * Construct a {@link Saml2Authentication} using the provided parameters
+	 * @param principal the logged in user
+	 * @param saml2Response the SAML 2.0 response used to authenticate the user
+	 * @param authorities the authorities for the logged in user
+	 * @param relyingPartyRegistrationId the
+	 * {@link RelyingPartyRegistration#getRegistrationId} associated with this user
+	 * @since 5.5
+	 */
+	public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response,
+			Collection<? extends GrantedAuthority> authorities, String relyingPartyRegistrationId) {
 		super(authorities);
 		Assert.notNull(principal, "principal cannot be null");
 		Assert.hasText(saml2Response, "saml2Response cannot be null");
 		this.principal = principal;
 		this.saml2Response = saml2Response;
 		setAuthenticated(true);
+		this.relyingPartyRegistrationId = relyingPartyRegistrationId;
 	}
 
 	@Override
@@ -69,4 +96,14 @@ public Object getCredentials() {
 		return getSaml2Response();
 	}
 
+	/**
+	 * Get the registration id associated with the {@link RelyingPartyRegistration} that
+	 * this user belongs to
+	 * @return the relying party registration id
+	 * @since 5.5
+	 */
+	public String getRelyingPartyRegistrationId() {
+		return this.relyingPartyRegistrationId;
+	}
+
 }
diff --git a/saml2/saml2-service-provider/opensaml3/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java b/saml2/saml2-service-provider/opensaml3/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
@@ -425,7 +425,8 @@ public static Converter<ResponseToken, Saml2Authentication> createDefaultRespons
 			String username = assertion.getSubject().getNameID().getValue();
 			Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
 			return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
-					token.getSaml2Response(), Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")));
+					token.getSaml2Response(), Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")),
+					responseToken.token.getRelyingPartyRegistration().getRegistrationId());
 		};
 	}
 
@@ -627,8 +628,8 @@ private Converter<ResponseToken, Saml2Authentication> createCompatibleResponseAu
 			String username = assertion.getSubject().getNameID().getValue();
 			Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
 			return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
-					token.getSaml2Response(),
-					this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)));
+					token.getSaml2Response(), this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)),
+					responseToken.token.getRelyingPartyRegistration().getRegistrationId());
 		};
 	}
 
diff --git a/saml2/saml2-service-provider/opensaml4/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java b/saml2/saml2-service-provider/opensaml4/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
@@ -365,7 +365,8 @@ public static Converter<ResponseToken, Saml2Authentication> createDefaultRespons
 			String username = assertion.getSubject().getNameID().getValue();
 			Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
 			return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
-					token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER"));
+					token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER"),
+					responseToken.token.getRelyingPartyRegistration().getRegistrationId());
 		};
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -365,7 +365,8 @@ public static Converter<ResponseToken, Saml2Authentication> createDefaultRespons`
`365`	`365`	`String username = assertion.getSubject().getNameID().getValue();`
`366`	`366`	`Map<String, List<Object>> attributes = getAssertionAttributes(assertion);`
`367`	`367`	`return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),`
`368`		`- token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER"));`
	`368`	`+ token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER"),`
	`369`	`+ responseToken.token.getRelyingPartyRegistration().getRegistrationId());`
`369`	`370`	`};`
`370`	`371`	`}`
`371`	`372`