Automatically refresh saml metadata in configurable intervals

[dawi]

Expected Behavior

The spring-security-saml extension provides a HTTPMetadataProvider which is able to automatically refresh saml metadata in configurable intervals. It would be nice if this feature would also be supported by spring security.

Current Behavior

The current API, as far as I can see, does not support automatic metadata reloading.

I tried to implement a custom InMemoryRelyingPartyRegistrationRepository, but it seems that there are edge cases which I don't know how to handle correctly. E.g it should be possible to start the application while the IDP is not available and it should recover after IDP is available again.

[jzheaux]

I think that there are a couple of ways that you can achieve this with existing Spring components:

• First, you can create an implementation of RelyingPartyRegistrationRepository where findByRegistrationId computes the RelyingPartyRegistration and then caches the results for a period of time, like with the @Cacheable annotation.

• Second, you can create an implementation of RelyingPartyRegistrationRepository where an additional @Scheduled method computes the RelyingPartyRegistration periodically.

Spring's caching and scheduling support is very likely to exceed anything that Spring Security could provide. This approach is also nice because it allows you to periodically update the relying party side of the configuration.

Does that clear things up, or is there still something you'd like to see Spring Security provide?

[dawi]

Yes, it's fairly easy to create a simple RelyingPartyRegistrationRepository implementation.

I found one pitfall though: If you implement a custom RelyingPartyRegistrationRepository by implementing RelyingPartyRegistrationRepository and don't implement Iterable<RelyingPartyRegistration> too, then singleProvider in Saml2LoginConfigurer will be false and the "auto-redirect to provider login page" is not done. Therefore it may make sense to implement Iterable<RelyingPartyRegistration> also if only one RelyingPartyRegistration is configured. See:

spring-security/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

Line 214 in 6714112

boolean singleProvider = providerUrlMap.size() == 1;

---

I created two examples of how metadata-reloading could be implemented:

• keycloak-saml-4-with-metadata-reloading
• keycloak-saml-5-with-bootiful-metadata-reloading

Nice thing is that not only IDP metadata is reloaded, but SP certificates as well.

Those are only examples and may very well be improved, but I think they show that it's not as simple as it should/could be.

---

From a user perspective it would be nice if all this could be part of spring security and spring boot.

If this is really out of scope of spring security, maybe I can open a ticket in spring-boot.

[jzheaux]

@dawi, I think one thing that might help the community is a sample. Would you be able to contribute a Boot-based sample to spring-security-samples that shows what a custom RelyingPartyRegistrationRepository looks like?

This would help with the gotcha you mentioned as well as give a starting point to folks who are migrating spring-security-saml apps.

[jzheaux]

Closing in favor of spring-projects/spring-security-samples#2

[OrangeDog]

SAML specifies both cacheDuration and validUntil attributes. An implementation should follow these for each entity and refresh accordingly, rather than refresh everything at a fixed interval.