Saml2RelyingPartyAutoConfiguration should configure how AuthnRequests are sent #20584
Description
Spring Security 5.3 allows an application to configure how to send AuthnRequests via RelyingPartyRegistration.ProviderDetails.isSignAuthnRequest and RelyingPartyRegistration.ProviderDetails.binding.
There are two ways these could potentially be set.
The first is via properties.
The sso-url (the location to where AuthnRequests are sent) can already be configured per identity provider like so:
spring:
security:
saml2:
relyingparty:
registration:
registrationId:
identityprovider:
sso-url: https://idp.example.org/SSO.saml2Possibly, an application could also provide sso-binding to indicate whether to redirect or post AuthnRequests. An application could also provide sso-sign to indicate whether or not to sign the AuthnRequest:
spring:
security:
saml2:
relyingparty:
registration:
registrationId:
identityprovider:
sso-url: https://idp.example.org/SSO.saml2
sso-binding: redirect
sso-sign: false(Note that when considering these property names, it would be good to remember that this login request metadata may be coupled with logout request metadata in the future - another option, then, may be to evolve the sso-url property to sso.url and thus introduce sso.binding and sso.sign)
The second is isSignAuthnRequest can be inferred.
The application can configure a list of signing credentials:
spring:
security:
saml2:
relyingparty:
registration:
registrationId:
signing.credentials:
- private-key-location: "classpath:private.key"
certificate-location: "classpath:certificate.crt"
- ...In the absence of any signing credentials, it's readily apparent that the application does not intend to sign any AuthnRequests, so isSignAuthnRequest can be set to false.