From e77dc60744835d37612ff389b73650a4e2ab80eb Mon Sep 17 00:00:00 2001
From: Stephane Nicoll <snicoll@pivotal.io>
Date: Mon, 19 Oct 2020 14:04:49 +0200
Subject: [PATCH] Add configuration properties for SAML2 relying party
 registration's ASM

This commit allows to configure the location and binding of the
Assertion Consumer Service used by a SAML2 relying party.

Closes gh-23746
---
 .../saml2/Saml2RelyingPartyProperties.java    | 41 +++++++++++++++++++
 ...RelyingPartyRegistrationConfiguration.java |  5 +--
 ...ml2RelyingPartyAutoConfigurationTests.java |  7 +++-
 3 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java
index d99e58226c..43ad78f5b6 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java
@@ -56,6 +56,11 @@ public class Saml2RelyingPartyProperties {
 		 */
 		private String entityId = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
 
+		/**
+		 * Assertion Consumer Service.
+		 */
+		private final Acs acs = new Acs();
+
 		private final Signing signing = new Signing();
 
 		/**
@@ -71,6 +76,10 @@ public class Saml2RelyingPartyProperties {
 			this.entityId = entityId;
 		}
 
+		public Acs getAcs() {
+			return this.acs;
+		}
+
 		public Signing getSigning() {
 			return this.signing;
 		}
@@ -79,6 +88,38 @@ public class Saml2RelyingPartyProperties {
 			return this.identityprovider;
 		}
 
+		public static class Acs {
+
+			/**
+			 * Assertion Consumer Service location template. Can generate its location
+			 * based on possible variables of "baseUrl", "registrationId", "baseScheme",
+			 * "baseHost", and "basePort".
+			 */
+			private String location = "{baseUrl}/login/saml2/sso/{registrationId}";
+
+			/**
+			 * Assertion Consumer Service binding.
+			 */
+			private Saml2MessageBinding binding = Saml2MessageBinding.POST;
+
+			public String getLocation() {
+				return this.location;
+			}
+
+			public void setLocation(String location) {
+				this.location = location;
+			}
+
+			public Saml2MessageBinding getBinding() {
+				return this.binding;
+			}
+
+			public void setBinding(Saml2MessageBinding binding) {
+				this.binding = binding;
+			}
+
+		}
+
 		public static class Signing {
 
 			/**
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
index f2942603ef..59af2c3b10 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
@@ -42,7 +42,6 @@ import org.springframework.security.saml2.provider.service.registration.RelyingP
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
-import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
@@ -74,8 +73,8 @@ class Saml2RelyingPartyRegistrationConfiguration {
 		Builder builder = (usingMetadata) ? RelyingPartyRegistrations
 				.fromMetadataLocation(properties.getIdentityprovider().getMetadataUri()).registrationId(id)
 				: RelyingPartyRegistration.withRegistrationId(id);
-		builder.assertionConsumerServiceLocation(
-				"{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI);
+		builder.assertionConsumerServiceLocation(properties.getAcs().getLocation());
+		builder.assertionConsumerServiceBinding(properties.getAcs().getBinding());
 		builder.assertingPartyDetails(mapIdentityProvider(properties, usingMetadata));
 		builder.signingX509Credentials((credentials) -> properties.getSigning().getCredentials().stream()
 				.map(this::asSigningCredential).forEach(credentials::add));
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java
index 63ed6795e2..2361eb4b03 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java
@@ -93,7 +93,8 @@ class Saml2RelyingPartyAutoConfigurationTests {
 			assertThat(registration.getAssertingPartyDetails().getEntityId())
 					.isEqualTo("https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php");
 			assertThat(registration.getAssertionConsumerServiceLocation())
-					.isEqualTo("{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI);
+					.isEqualTo("{baseUrl}/login/saml2/foo-entity-id");
+			assertThat(registration.getAssertionConsumerServiceBinding()).isEqualTo(Saml2MessageBinding.REDIRECT);
 			assertThat(registration.getAssertingPartyDetails().getSingleSignOnServiceBinding())
 					.isEqualTo(Saml2MessageBinding.POST);
 			assertThat(registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()).isEqualTo(false);
@@ -186,7 +187,9 @@ class Saml2RelyingPartyAutoConfigurationTests {
 				PREFIX + ".foo.identityprovider.singlesignon.sign-request=false",
 				PREFIX + ".foo.identityprovider.entity-id=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php",
 				PREFIX + ".foo.identityprovider.verification.credentials[0].certificate-location=classpath:saml/certificate-location",
-				PREFIX + ".foo.entity-id={baseUrl}/saml2/foo-entity-id" };
+				PREFIX + ".foo.entity-id={baseUrl}/saml2/foo-entity-id",
+				PREFIX + ".foo.acs.location={baseUrl}/login/saml2/foo-entity-id",
+				PREFIX + ".foo.acs.binding=redirect" };
 	}
 
 	private boolean hasFilter(AssertableWebApplicationContext context, Class<? extends Filter> filter) {