Howto disable signature verification in Spring Security SAML 5.6.1?

Question

I'm currently migrating from old deprecated Spring Security SAML Extension 1.0.10 to the SAML implementation in Spring Security 5.6.1.

In the old extension there was the possibility to disable the signature verification of the SAML response (property wantAssertionSigned in Spring Security SAML Extension documentation). This was very helpful for me during testing.

I wonder if this is also possible in Spring Security 5.6.1?

---

I searched in the source code and found the class OpenSamlMetadataResolver where it seems to me that this is hard-coded and cannot be changed:

private SPSSODescriptor buildSpSsoDescriptor(RelyingPartyRegistration registration) {
    SPSSODescriptor spSsoDescriptor = build(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
    (...)
    spSsoDescriptor.setWantAssertionsSigned(true);
    (...)
    return spSsoDescriptor;
}

Also the code in OpenSaml4AuthenticationProvider doesn't seem to offer an easy way to configure private variable assertionSignatureValidator to override validation behaviour.

Any help is appreciated.

Answer 1

In Spring Security 5.7.0, which will be released this Monday, May 16, 2022, the hard-coded line is removed. Therefore no more signature verification by default.

You will also be able to customize the EntityDescriptor if you want, something like this:

openSamlMetadataResolver.setEntityDescriptorCustomizer(
        (parameters) -> parameters.getEntityDescriptor().setEntityID("overriddenEntityId"));

You can always try the milestone releases before the GA.