Example showing how to authenticate with multiple Asserting Parties

[OrangeDog]

Continuing from: https://github.com/spring-projects/spring-security/issues/10551 https://github.com/spring-projects/spring-security-saml/issues/521#issuecomment-1042375537

One Relying Party (Service Provider) should be able to authenticate with a choice of Asserting Parties (Identity Providers). That's the basic SAML Federation system.

If this is currently possible, please add an example showing how (discovery can be a choice of two buttons - one for each IdP). If this is not currently possible, please re-open the feature request(s) for it. If it is not possible to add this feature, please resume support for spring-security-saml, which does allow this.

[OrangeDog]

Does the silence mean I was correct, and the design of SAML support in Spring 5 is fatally flawed?

[OrangeDog]

@jzheaux?

[stnor]

Bump. I desperately need this too @jzheaux.

[santoshdahal12]

Any luck here. This seems a fair ask. I am working on migrating a project with old spring security saml extension that needs this feature.

The old library used to set Issuer as peer entity by parsing SAML response before validation. And then it would use the same parsed SAML response to do further validation.

This was very helpful in applications that need to handle multiple SPs with multiple SP partners or Asserting parties.

Right now the only way to have unique registration id for configuring RelyingPartyRegistration for above scenario is to use SP entity name + asserting party entity Name as unique id.

However during validation, we would have have to first ourself get Issuer out of token by parsing, and then lookup the relyingpartyregistration with ( SP Name + issuer ) as id. This works but we parse the token two times which is expensive operation.