Allow a SAML2 relying party registration's decryption X509 credentials to be configured via application properties

[dawi]

Saml2RelyingPartyRegistrationConfiguration does not support setting of decryptionX509Credentials.

Via Java Config it is possible to set decryption credentials like this:

final RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
    .fromMetadataLocation("http://localhost:8081/auth/realms/DemoRealm/protocol/saml/descriptor")
    .registrationId("demo-saml-client")
    .entityId("demo-saml-client")
    .signingX509Credentials(c -> c.add(getSigningCredential()))
    .decryptionX509Credentials(c -> c.add(getDecryptionCredential()))
    .build();

Unfortunately this is not possible via Spring Boot application.properties.

[dawi]

I have two more annotations:

• It's also not posible to set the assertionConsumerServiceBinding.
• Maybe relying-party-entity-id could be named entity-id.
  since the other relying party properties are also not prefixed
  and IDPs entity-id is also not named identity-provider-entity-id.

[wilkinsona]

Thanks. We prefer to keep issues small and focussed if we can so I've opened #23745 and #23746 for those two.

[snicoll]

Actually, we used to configure both signing and decryption with the existing configuration property but the use of credentials is deprecated in Spring Security 5.4 so no introducing the separate property seems to be an oversight.

See also spring-projects/spring-security@56928f6

[snicoll]

@dawi this will be available in 2.4.0-SNAPSHOT shortly. If you have time, I'd appreciate if you could give the snapshot a try. Thanks!

[dawi]

@snicoll I could successfully authenticate against Keycloak with Encrypt Assertions enabled. :)