I keep seeing the following block of code for registering SAML identity providers:
spring:
security:
saml2:
relyingparty:
registration:
adfs:
identityprovider:
entity-id: https://idp.example.com/issuer
verification.credentials:
- certificate-location: "classpath:idp.crt"
singlesignon.url: https://idp.example.com/issuer/sso
singlesignon.sign-request: false
However, I have an older project that I need to implement multiple SAML identity providers that is NOT built on Spring Boot, and converting it is not an option (if we were starting the same project today, of course we would use Spring Boot).
How does the above code translate to doing this manually?
You can do that by exposing a bean of type RelyingPartyRegistrationRepository:
@Value("${verification.key}")
File verificationKey;
@Bean
public RelyingPartyRegistrationRepository relyingPartyRegistrations() throws Exception {
X509Certificate certificate = X509Support.decodeCertificate(this.verificationKey);
Saml2X509Credential credential = Saml2X509Credential.verification(certificate);
RelyingPartyRegistration registration = RelyingPartyRegistration
.withRegistrationId("example")
.assertingPartyDetails(party -> party
.entityId("https://idp.example.com/issuer")
.singleSignOnServiceLocation("https://idp.example.com/SSO.saml2")
.wantAuthnRequestsSigned(false)
.verificationX509Credentials(c -> c.add(credential))
)
.build();
return new InMemoryRelyingPartyRegistrationRepository(registration);
}
The application.yml properties that you mentioned, are just a shortcut to declare this bean from Spring Boot. There is a complete sample not using Spring Boot in the Spring Security samples repository.
Also, there is an entire section in Spring Security documentation teaching how to override Spring Boot auto-configuration (where I took the code block above).