Description
Expected Behavior
The ability to have access to AuthnRequest Id and Response InResponseTo when saving and loading AbstractSaml2AuthenticationRequests via Saml2AuthenticationRequestRepository
Current Behavior
When saving and loading the request via Saml2AuthenticationRequestRepository the user receives AbstractSaml2AuthenticationRequest and HTTP request and response. There is no easy way to access the AuthnRequest Id and the Response InResponseTo when saving and loading requests.
Context
When using spring session, the requests cannot be loaded using the default HttpSessionSaml2AuthenticationRequestRepository because the cookie using SameSite = Lax as described in #10828. We are looking to create a custom Saml2AuthenticationRequestRepository that can store and load the Requests based on the ID instead of using the session.
The workaround we are using for now is to create custom assertionValidator and responseValidator which filter out the errors for InResponseTo validation.
openSamlAuthenticationProvider.setResponseValidator { token ->
val result = OpenSaml4AuthenticationProvider.createDefaultResponseValidator().convert(token)
val newResult = Saml2ResponseValidatorResult.success()
result?.errors?.forEach { error ->
if (error.errorCode != org.springframework.security.saml2.core.Saml2ErrorCodes.INVALID_IN_RESPONSE_TO) {
newResult.concat(error)
}
}
newResult
}
For retrieving the AuthnRequest ID we could also use similar code to OpenSaml4AuthenticationProvider#getAuthnRequestId but it would require our own implementation because it is currently private.
Its also possible this is more appropriate to be a stack overflow question on how to get the ID and InResponseTo from a HttpServletRequest