Our application used to have only one possibility to log in: username and password. Once a new user logged into the application, their session would appear in Spring Security's SessionRegistry.
Now I'm implementing SAML support with the help of Spring SAML. I oriented the setup heavily towards the sample application's configuration. It all works fine. However I noticed that users that log in via SAML don't get their session added to the SessionRegistry.
The usual context file for form based authentication contains the following:
<session-management
invalid-session-url="/login"
session-fixation-protection="newSession"
session-authentication-error-url="/login?invalid_session=1">
<concurrency-control
max-sessions="1"
error-if-maximum-exceeded="false"
session-registry-alias="springSessionRegistry"/>
</session-management>
In my http element for the SAML configuration I added the same. This created a new SessionRegistry but it did not contain anything. I also tried
<concurrency-control session-registry-ref="springSessionRegistry"/>
but this did not contain any SAML authenticated sessions either.
So how can I access SAML sessions?
The problem is that bean definition parsers of Spring Security only automatically link beans created based on the session-management and concurrency-control to the authentication processors included in core Spring Security modules. This means, that SAMLProcessingFilter.setSessionAuthenticationStrategy() isn't called.
You should be able to get it working by declaring the samlWebSSOProcessingFilter bean in the following way (which refers to the concurrency bean automatically created by the concurrency-control element):
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
<property name="sessionAuthenticationStrategy" ref="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy#0"/>
</bean>