SAML: Add RequestedAuthnContext to AuthnRequest in OpenSamlAuthenticationRequestFactory

[Primedo]

Summary

Add RequestedAuthnContext with Comparison and AuthnContextClassRef to require a certain authentication from the IdP.

Actual Behavior

OpenSamlAuthenticationRequestFactory creates the AuthnRequest with an Saml2AuthenticationRequest, but isn't possible to modify the AuthnRequest.

Expected Behavior

Either transport the required information via Saml2AuthenticationRequestContext or allow the modification of the created AuthnRequest before it is serialized.

Version

5.3.0-RELEASE

Additional Information

I am willing to work on this issue, but I am uncertain, what the expected direction could be. Personally I would prefer something like an ObjectPostProcessor where I would also have access to the HttpServletRequest so I could adjust the AuthnRequest according to the current user.

[jzheaux]

Thanks for the suggestion, @Primedo.

I think it makes sense to add support for custom attributes to Saml2AuthenticationRequestContext.

Since AuthenticationRequestFactory is abstracted away from the Servlet API, though, a post processor that includes HttpServletRequest in the contract likely wouldn't work.

What would you think of a Converter<Saml2AuthenticationRequestContext, AuthnRequest> setter on OpenSamlAuthenticationRequestFactory? The converter could use the custom context attributes to control how the AuthnRequest is configured.

[Primedo]

Josh, thank you for your feedback.

This is what I came up with until now and I hope it isn't the complete opposite of what you suggested: master...Primedo:gh-8141

I removed Saml2AuthenticationRequest since it was deprecated and I couldn't create a Saml2AuthenticationRequestContext from it.

Since I didn't want to create a new AuthnRequest and wanted to reuse the OpenSamlImplementation to create Objects I created a different converter with again another Context Converter<OpenSamlAuthenticationRequestContext, AuthnRequest>

What do you think, is this going in the right direction and what should I change?

[jzheaux]

Thanks for taking some time to try this out, @Primedo.

Let's see if it's possible to only focus on customizing the AuthnRequest. For example, I don't think we should remove methods in this PR. Indeed, if they must be removed for this feature to be added, then we'd need to wait until 6.0 to do it.

Regarding custom attributes, let's follow the pattern set out in OAuth2AuthorizationContext. Note that there the method is called getAttributes and the builder has a method called attributes that takes a Consumer.

As for a composite OpenSamlAuthenticationRequestContext object, I'm hesitant to add a new type to address this enhancement. Can you elaborate on precisely what you are wanting to add to the AuthnRequest and what additional context you need to be able to configure it correctly?

[Primedo]

@jzheaux, what is your take on this change?
master...Primedo:gh-8141

I skipped the suggested Converter for this change.

[jzheaux]

I think I need to have a clearer idea on what inputs are determining what outputs. So far, I understand that you'd prefer to take something from the HttpServletRequest, but I'm not clear on what and on how that manifests itself in the resulting AuthnRequest.

Can you elaborate on precisely what you are wanting to add to the AuthnRequest and what inputs determine what gets added?

[Primedo]

I want the current user (anonymous or authenticated) to authenticate with an exact or better authentication method based on the needed authentication level for the desired action (e. g. second factor to change password, identity card to change address, username-password or better for initial authentication). And RequestedAuthnContext could be used to transport the desired authentication level.

https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf

Does this explain the requirement?

[jzheaux]

Yes, that helps, @Primedo.

When it's an authenticated user, are the details you need tied to the current Authentication? For example, could you do Authentication current = SecurityContextHolder.getContext().getAuthentication(); and find your inputs from current?

[Primedo]

and find your inputs from current

Yes, that would work.

And for anonymous users it would be helpful to have some context (cookie, URL, session or something else), so that the desired RequestedAuthnContext is known before creating the SAML Request.

[jzheaux]

And for anonymous users it would be helpful to have some context (cookie, URL, session or something else)

Do you have a concrete requirement here? Otherwise, maybe we wait on that aspect for now.

Yes, that would work.

One thing you should be able to do then, which would require no enhancement at all, is for you to extend OpenSAML's AuthnRequestMarshaller, registering it with XMLObjectProviderRegistrySupport.registerObjectProvider. There, you'd have full control over post-processing the AuthnRequest.

[Primedo]

Do you have a concrete requirement here? Otherwise, maybe we wait on that aspect for now.

An anonymous user is on the public site and wants to change his address. Since address change does require an authentication by id card or better this information should be transported to the IdP, otherwise the anonymous user would maybe have to authenticate twice with different methods.

which would require no enhancement at all,

Thanks, is this your preferred solution for this issue?

[jzheaux]

Yes, @Primedo, if you can work with OpenSAML directly for your customization of the AuthnRequest, that would be ideal.

Of course, feel free to reopen this ticket if you run into trouble and want to take another look at changing OpenSamlAuthenticationRequestFactory.