Skip to content

Allow retrieving username from SAML Assertion Attributes #12136

New issue
New issue
Closed
Closed
Allow retrieving username from SAML Assertion Attributes#12136
Assignees
jzheaux
Labels
in: saml2An issue in SAML2 modulestype: enhancementA general enhancement
Milestone
 
6.5.0-RC1
@palakova

Description

@palakova
palakova
opened on Nov 3, 2022

Expected Behavior

Username (in the sense of Principal Name) can be released by IdP AuthnRequest's Assertion in NameID element or one of the Attribute element instead. NameID, if present (as it is even optional, as also discussed in #11463), can be of different Format, holding different kind of values.

It would be nice to have a more convenient way to configure where to retrieve the username from - NameID element versus providing a Name of an Assertion Attribute that is expected to hold the username.

Current Behavior

Spring SAML considers only NameID element to hold username, and populates Saml2AuthenticatedPrincipal#name with NameID value in OpenSaml4AuthenticationProvider.

Context

Example for integration with Shibboleth: IdP releases NameID Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient (according to SAML spec, this indicates that the content of the element is an identifier with transient semantics and SHOULD be treated as an opaque and temporary value by the relying party). Username is released in one of Assertion Attribute instead.

Workaround: custom responseAuthenticationConverter to retrieve username from Attribute

Metadata

Metadata

Assignees

Labels

in: saml2An issue in SAML2 modulestype: enhancementA general enhancement

Type

No type

Projects

Spring Security Team

Status

No status

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions