Our application used to have only one possibility to log in: username and password. Once a new user logged into the application, their session would appear in Spring Security's SessionRegistry.
Now I'm implementing SAML support with the help of Spring SAML. I oriented the setup heavily towards the sample application's configuration. It all works fine. However I noticed that users that log in via SAML don't get their session added to the SessionRegistry.
The usual context file for form based authentication contains the following:
<session-management
invalid-session-url="/login"
session-fixation-protection="newSession"
session-authentication-error-url="/login?invalid_session=1">
<concurrency-control
max-sessions="1"
error-if-maximum-exceeded="false"
session-registry-alias="springSessionRegistry"/>
</session-management>
In my http element for the SAML configuration I added the same. This created a new SessionRegistry but it did not contain anything. I also tried
<concurrency-control session-registry-ref="springSessionRegistry"/>
but this did not contain any SAML authenticated sessions either.
So how can I access SAML sessions?
Aucun commentaire:
Enregistrer un commentaire