Description
Recent support for configuring OpenSAML's ConditionValidators and ValidationContext were added to OpenSamlAuthenticationProvider.
Based on some early RC1 feedback, it would be nice if the assertion validation support were more generalized.
Since delegation is a common pattern in Spring Security, it would make sense to have a setter that encouraged this practice. Also, it would be nice if the contract were more similar to OAuth2TokenValidator's. One way to do this would be to replace setConditionValidators and setValidationContextConverter with two other methods:
public void setAssertionValidator(
Converter<AssertionToken, Saml2ResponseValidatorResult> assertionValidator);
public static Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionValidator(
ValidationContext context);These are similar to JwtDecoder#setJwtValidator and JwtValidators#createDefault methods.
Together, these allow an application to customize validation and delegate to Spring Security's defaults, like so:
OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
provider.setAssertionValidator(assertionToken -> {
ValidationContext context = ...;
Saml2ResponseValidatorResult result =
createDefaultAssertionValidator(context).convert(assertionToken);
Saml2ResponseValidatorResult custom =
myCustomValidator.convert(assertionToken);
return result.concat(custom);
});