Saml 2.0 Metadata

Spring Security 可以 parse asserting party metadata 产生 AssertingPartyDetails 实例以及从 RelyingPartyRegistration 实例 publish relying party metadata

Spring Security can parsing-asserting-party-metadata to produce an AssertingPartyDetails instance as well as publishing-relying-party-metadata from a RelyingPartyRegistration instance.

Parsing <saml2:IDPSSODescriptor> metadata

您可以解析声明方元数据 using RelyingPartyRegistrations

You can parse an asserting party’s metadata using RelyingPartyRegistrations.

使用 OpenSAML 供应商支持时,导致的 AssertingPartyDetails 将是 OpenSamlAssertingPartyDetails 类型。这意味着您可以通过执行以下操作来获取底层 OpenSAML XMLObject:

When using the OpenSAML vendor support, the resulting AssertingPartyDetails will be of type OpenSamlAssertingPartyDetails. This means you’ll be able to do get the underlying OpenSAML XMLObject by doing the following:

  • Java

  • Kotlin

OpenSamlAssertingPartyDetails details = (OpenSamlAssertingPartyDetails)
        registration.getAssertingPartyDetails();
EntityDescriptor openSamlEntityDescriptor = details.getEntityDescriptor();
val details: OpenSamlAssertingPartyDetails =
        registration.getAssertingPartyDetails() as OpenSamlAssertingPartyDetails;
val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor();

Producing <saml2:SPSSODescriptor> Metadata

您可以使用下面的 saml2Metadata DSL 方法来发布元数据终端节点:

You can publish a metadata endpoint using the saml2Metadata DSL method, as you’ll see below:

  • Java

  • Kotlin

http
    // ...
    .saml2Login(withDefaults())
    .saml2Metadata(withDefaults());
http {
    //...
    saml2Login { }
    saml2Metadata { }
}

您可以使用此元数据终端节点向声明方注册您的受信任方。这通常像查找正确的表单字段以提供元数据终端节点一样简单。

You can use this metadata endpoint to register your relying party with your asserting party. This is often as simple as finding the correct form field to supply the metadata endpoint.

默认情况下,元数据终端节点是 /saml2/metadata,尽管它对 /saml2/metadata/{registrationId}/saml2/service-provider-metadata/{registrationId} 也会做出响应。

By default, the metadata endpoint is /saml2/metadata, though it also responds to /saml2/metadata/{registrationId} and /saml2/service-provider-metadata/{registrationId}.

您可以通过在 DSL 中调用 metadataUrl 方法来更改这个方法:

You can change this by calling the metadataUrl method in the DSL:

  • Java

  • Kotlin

.saml2Metadata((saml2) -> saml2.metadataUrl("/saml/metadata"))
saml2Metadata {
	metadataUrl = "/saml/metadata"
}

Changing the Way a RelyingPartyRegistration Is Looked Up

如果您有其他策略来识别要使用的 RelyingPartyRegistration,则您可以像下面那样配置您自己的 Saml2MetadataResponseResolver

If you have a different strategy for identifying which RelyingPartyRegistration to use, you can configure your own Saml2MetadataResponseResolver like the one below:

  • Java

  • Kotlin

@Bean
Saml2MetadataResponseResolver metadataResponseResolver(RelyingPartyRegistrationRepository registrations) {
	RequestMatcherMetadataResponseResolver metadata = new RequestMatcherMetadataResponseResolver(
			(id) -> registrations.findByRegistrationId("relying-party"));
	metadata.setMetadataFilename("metadata.xml");
	return metadata;
}
@Bean
fun metadataResponseResolver(val registrations: RelyingPartyRegistrationRepository): Saml2MetadataResponseResolver {
    val metadata = new RequestMatcherMetadataResponseResolver(
			id: String -> registrations.findByRegistrationId("relying-party"))
	metadata.setMetadataFilename("metadata.xml")
	return metadata
}