This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.3.3!

OpenSAML Support

Spring Security provides an API for implementing SAML 2.0 features, and it also provides a default implementation using OpenSAML.

Because Spring Security supports more than one version of OpenSAML at the same time, the components use the following naming convention:

  • Any component that is usable across all supported versions is named OpenSamlXXX.

  • Any component that targets OpenSAML 4.x is named OpenSaml4XXX

  • Any component that targets OpenSAML 5.x is named OpenSaml5XXX

spring-security-config selects between these implementations by default by discovering which version your application is currently using. For example, if you are using OpenSAML 4, Spring Security will use the OpenSaml4XXX components.

Selecting OpenSAML 4

Spring Security depends on OpenSAML 4 by default, so you need do nothing to begin using it other than importing the spring-security-saml dependency.

Selecting OpenSAML 5

To use OpenSAML, you should override the opensaml dependencies as follows:

  • Maven

  • Gradle

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.opensaml</groupId>
            <artifactId>opensaml-core-api</artifactId>
            <version>5.1.2</version>
        </depedency>
        <dependency>
            <groupId>org.opensaml</groupId>
            <artifactId>opensaml-core-impl</artifactId>
            <version>5.1.2</version>
        </depedency>
        <dependency>
            <groupId>org.opensaml</groupId>
            <artifactId>opensaml-saml-api</artifactId>
            <version>5.1.2</version>
        </depedency>
        <dependency>
            <groupId>org.opensaml</groupId>
            <artifactId>opensaml-saml-imple</artifactId>
            <version>5.1.2</version>
        </depedency>
    </dependencies>
</dependencyManagement>

// ...

<dependencies>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-saml2-service-provider</artifactId>
        <exclusions>
            <exclusion>
                <groupId>org.opensaml</groupId>
                <artifactId>opensaml-core</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
</dependencies>
dependencies {
    constraints {
        implementation "org.opensaml:opensaml-core-api:5.1.2"
        implementation "org.opensaml:opensaml-core-impl:5.1.2"
        implementation "org.opensaml:opensaml-saml-api:5.1.2"
        implementation "org.opensaml:opensaml-saml-impl:5.1.2"
    }

    // ...

    implementation ('org.springframework.security:spring-security-saml2-service-provider') {
        exclude group: "org.opensaml", module: "opensaml-core"
    }

    // ...
}
The exclusion is necessary because OpenSAML 5 splits opensaml-core into opensaml-core-api and opensaml-core-impl