Ability to easily read attribute values from SAML response

Expected Behavior
I should be able to read attribute values after SAML response is parsed and validated without parsing it myself.

Current Behavior
As far I can tell OpenSamlAuthenticationProvider parses and validates the response, and then throws away the Assertion object. What I'm left with is encrypted response string.

Context
I want to show the user's first and last name on my website.

I could parse XML myself after successful login, but that doesn't seem very pretty.

I think that in the earlier iterations SecurityContextHolder.getContext().getAuthentication().getCredentials() returned SAMLCredential object with getAttribute methods.

Sorry if this is already possible, please tell me how it's supposed to be done in that case. If it's not possible, what nice workaround I could use?

I know that it's possible to extract roles using custom authorities extractor, but what about other attributes?

[jzheaux]

@kostic017 thanks for reaching out; I think adding attributes to the Saml2AuthenticatedPrincipal would be a way to address this.

To add it, it'll be important to maintain Spring Security's independence from OpenSAML, meaning that the resulting authentication shouldn't have any OpenSAML-specific material in it.

One way this could work would be to have OpenSamlAuthenicationProvider iterate through all the attributes and convert them to their corresponding Java types. I think it would be reasonable to add a Map<String, Object> getAttributes() default method to Saml2AuthenticatedPrincipal in that case.

Does that sound like what you are looking for and would you be interested in submitting a PR to add it?

That should do the job.

As you can probably tell, I've created a pull request... (force push to my branch, looks ugly here)

[fpagliar]

Thanks so much for raising this issue!!! This is a big blocker for us.

@fpagliar Here you can find a nice workaround until the fix gets released
https://stackoverflow.com/q/62210172/10479742
https://stackoverflow.com/q/58400571/10479742
If your assertion is encrypted, you're gonna need to decrypt it yourself first.