Saml2Authentication isn't serializable

[clemstoquart]

Hi Spring Security team,

I've encounter an issue using the new Saml2 support with Spring Session.

In the OpenSamlAuthenticationProvider class in the authenticate method we create the authentication this way :

new Saml2Authentication(
    () -> username, token.getSaml2Response(),
    this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion))
)

But this isn't serializable with the default serializer provided by Spring Session.

Solution

IMO provide an implementation of the AuthenticatedPrincipal instead of using an anonymous class should do the trick here.

What do you think about that ?

Have a nice day :)

[eleftherias]

@clemstoquart Thanks for the report and for the work you're doing with the new SAML2 support!
I can see the problem and I agree that creating a SAML2 implementation of AuthenticatedPrincipal is an appropriate solution.
Are you interested in submitting a PR for this fix?

[clemstoquart]

@eleftherias you're welcome :)

Yes I'm preparing a PR.