Support configuration of localEntityIdTemplate for a SAML Relying Party

Closes gh-20352

Author: danilopiazza

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java

@@ -51,9 +51,15 @@ public Map<String, Registration> getRegistration() {
 	public static class Registration {
 
 		/**
-		 * Relying Party identifier URI pattern.
+		 * Relying party's EntityID.
+		 *
+		 * This value may contain a number of placeholders. They are: baseUrl,
+		 * registrationId, baseScheme, baseHost, and basePort.
+		 *
+		 * The default value is
+		 * {baseUrl}/saml2/service-provider-metadata/{registrationId}.
 		 */
-		private String localEntityIdTemplate;
+		private String relyingPartyEntityId = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
 
 		private final Signing signing = new Signing();
 
@@ -62,12 +68,12 @@ public static class Registration {
 		 */
 		private Identityprovider identityprovider = new Identityprovider();
 
-		public String getLocalEntityIdTemplate() {
-			return this.localEntityIdTemplate;
+		public String getRelyingPartyEntityId() {
+			return this.relyingPartyEntityId;
 		}
 
-		public void setLocalEntityIdTemplate(String template) {
-			this.localEntityIdTemplate = template;
+		public void setRelyingPartyEntityId(String entityId) {
+			this.relyingPartyEntityId = entityId;
 		}
 
 		public Signing getSigning() {

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java

@@ -23,7 +23,6 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
-import java.util.Optional;
 import java.util.stream.Collectors;
 
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -79,8 +78,7 @@ private RelyingPartyRegistration asRegistration(String id, Registration properti
 				(details) -> details.binding(properties.getIdentityprovider().getSinglesignon().getBinding()));
 		builder.providerDetails((details) -> details.signAuthNRequest(signRequest));
 		builder.credentials((credentials) -> credentials.addAll(asCredentials(properties)));
-		Optional.ofNullable(properties.getLocalEntityIdTemplate())
-				.ifPresent((template) -> builder.localEntityIdTemplate(template));
+		builder.localEntityIdTemplate(properties.getRelyingPartyEntityId());
 		return builder.build();
 	}
 

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java

@@ -90,7 +90,7 @@ void relyingPartyRegistrationRepositoryBeanShouldBeCreatedWhenPropertiesPresent(
 			assertThat(registration.getProviderDetails().isSignAuthNRequest()).isEqualTo(false);
 			assertThat(registration.getSigningCredentials()).isNotNull();
 			assertThat(registration.getVerificationCredentials()).isNotNull();
-			assertThat(registration.getLocalEntityIdTemplate()).isEqualTo("{baseUrl}/saml2/local-entity-id");
+			assertThat(registration.getLocalEntityIdTemplate()).isEqualTo("{baseUrl}/saml2/foo-entity-id");
 		});
 	}
 
@@ -149,7 +149,7 @@ private String[] getPropertyValues() {
 				PREFIX + ".foo.identityprovider.singlesignon.sign-request=false",
 				PREFIX + ".foo.identityprovider.entity-id=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php",
 				PREFIX + ".foo.identityprovider.verification.credentials[0].certificate-location=classpath:saml/certificate-location",
-				PREFIX + ".foo.local-entity-id-template={baseUrl}/saml2/local-entity-id" };
+				PREFIX + ".foo.relying-party-entity-id={baseUrl}/saml2/foo-entity-id" };
 	}
 
 	private boolean hasFilter(AssertableWebApplicationContext context, Class<? extends Filter> filter) {

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyPropertiesTests.java

@@ -25,6 +25,7 @@
 import org.springframework.boot.context.properties.bind.Binder;
 import org.springframework.boot.context.properties.source.ConfigurationPropertySource;
 import org.springframework.boot.context.properties.source.MapConfigurationPropertySource;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -88,17 +89,17 @@ void customizeSsoSignRequestsIsTrueByDefault() {
 	}
 
 	@Test
-	void customizeLocalEntityIdTemplate() {
-		bind("spring.security.saml2.relyingparty.registration.simplesamlphp.local-entity-id-template",
-				"{baseUrl}/saml2/local-entity-id");
-		assertThat(this.properties.getRegistration().get("simplesamlphp").getLocalEntityIdTemplate())
-				.isEqualTo("{baseUrl}/saml2/local-entity-id");
+	void customizeRelyingPartyEntityId() {
+		bind("spring.security.saml2.relyingparty.registration.simplesamlphp.relying-party-entity-id",
+				"{baseUrl}/saml2/custom-entity-id");
+		assertThat(this.properties.getRegistration().get("simplesamlphp").getRelyingPartyEntityId())
+				.isEqualTo("{baseUrl}/saml2/custom-entity-id");
 	}
 
 	@Test
-	void customizeLocalEntityIdTemplateDefaultsToServiceProviderMetadata() {
-		this.properties.getRegistration().put("simplesamlphp", new Saml2RelyingPartyProperties.Registration());
-		assertThat(this.properties.getRegistration().get("simplesamlphp").getLocalEntityIdTemplate()).isNull();
+	void customizeRelyingPartyEntityIdDefaultsToServiceProviderMetadata() {
+		assertThat(RelyingPartyRegistration.withRegistrationId("id")).extracting("localEntityIdTemplate")
+				.isEqualTo(new Saml2RelyingPartyProperties.Registration().getRelyingPartyEntityId());
 	}
 
 	private void bind(String name, String value) {

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-saml2-service-provider/src/main/resources/application.yml

@@ -15,7 +15,7 @@ spring:
               entity-id: simplesaml
               singlesignon:
                 url: https://simplesaml-for-spring-saml/SSOService.php
-            local-entity-id-template: "{baseUrl}/saml2/service-provider-metadata"
+            relying-party-entity-id: "{baseUrl}/saml2/simple-relying-party"
           okta:
             signing:
               credentials:
@@ -29,4 +29,3 @@ spring:
               singlesignon:
                 url:
                   https://okta-for-spring/saml2/idp/SSOService.php
-            local-entity-id-template: "{baseUrl}/saml2/service-provider-metadata"