In a login, after successful authentication using spring-security-saml2-service-provider, I expect a Saml2AuthenticationToken (or something derived from that containing user-details) but I get an AnonymousAuthenticationToken (authenticated true) instead. Debugging, I did not encounter some of the breakpoints I expected and stepping through the (spring) code while debugging did not bring me ideas for a reason or an alternative route.
I set up a SAML 2.0 Login following SAML 2.0 Login Overview. Version 5.8 and not 6.x because I can only use Java 8. I use SpringBoot (spring-boot-starter-parent 2.7.14) and spring-security-saml2-service-provider 5.8.2 in a maven project.
Hardly any own code except configuration in an application.yml file and a SecurityFilterChain (using saml2Login(withDefaults)).
I use SURFConext as intermediary.
“My” login service is called by a https url <mymachine.xx>.nl/saml2/authenticate/surf (the relying party registration in my yml file is surf) and the yml assertingparty entity-id is a http url <mymachine.xx>.nl/:saml2/service-provider-metadata/surf (exactly as configured at SURFconext as Entity ID).
The singlesignon.url in the yml file is a test url SURFconext provides (singlesignon.url: https://engine.test.surfconext.nl/authentication/idp/single-sign-on/key:<key>).
The ACS location(endpoint where users need to be sent back to after authentication) configured at SURFconext is a https url <mymachine.xx>.nl/federation/saml/SAMLAssertionConsumer
That corresponds to the (@RequestMapping("/federation/saml/SAMLAssertionConsumer") in my AssertionConsumer.
I follow what happens in a SAML extension in a chrome develeoper window. I can see the flow there as shown in the overview. I see the saml messages in 2 GETS and 2 POSTS (more non-saml GETS (mainly redirects) that are not important to mention here).
I see in the first POST saml message that my IDP returns the right data of the logged in person and in the second POST that SURFconext gives the part of these saml data that are needed by my application. But what I actually get back in my AssertionConsumer is a spring-security-core AnonymousAuthenticationToken (authenticated true) instead of a spring-security-saml2-service-provider Saml2AuthenticationToken. I need the details of the user, but I don’t get them, though I see them in the chrome saml extension.
I tried implementing a UserDetailsService or configuring an own Converter, but nothing I tried brought me nearer to the cause or solution.
