Saml2RelyingPartyAutoConfiguration should use RelyingPartyRegistrations

[jzheaux]

Like ClientRegistrations in Spring Security's OAuth 2.0 support, Spring Security's SAML 2.0 support can now prepare a RelyingPartyRegistration.Builder from a given metadata endpoint as of 5.4.0-RC1.

It would be nice for an application to be able to do the following:

spring:
  security:
    saml2:
      relyingparty:
        registration:
          example:
            identityprovider:
              metadata-uri: https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php

in order to reduce configuration.

In the absence of a RelyingPartyRegistrationRepository in the application context, Spring Boot could do:

RelyingPartyRegistration registration = RelyingPartyRegistrations
        .fromMetadataLocation(metadataUri)
        .registrationId(registrationId)
        .build()

Any SP configuration should still be provided to the builder. For example, if the application also specifies signing keys:

spring:
  security:
    saml2:
      relyingparty:
        registration:
          example:
            signing.credentials:
              - private-key-location: "classpath:credentials/rp-private.key"
                certificate-location: "classpath:credentials/rp-certificate.crt"
            identityprovider:
              metadata-uri: https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php

then these should still be configured:

        // ...
        .registrationId(registrationId)
        .signingX509Credentials(c -> c.add(privateKey, certificate))
        .build()

Note that Spring Boot's auto configuration currently errors if there are no signing keys specified by the application. From a validation standpoint, though, if RelyingPartyRegistration#getAssertingPartyDetails#wantAuthnRequestsSigned returns false, there is no need for the application to specify these keys.

[wilkinsona]

Closing in favour of #23045.