dependency: OpenSAML 5.1.6 upgrade#3840
Merged
Merged
Conversation
This version is support BC fips. Higher versions pull directly classes from non fips package. At least a version that could work together with spring security 7.x and then boot 4.x
Closed
cf-foundation-community-automation
Bot
moved this to Inbox
in Foundational Infrastructure Working Group
Contributor
There was a problem hiding this comment.
Pull request overview
Upgrades the server’s SAML/OpenSAML integration to OpenSAML 5.1.6 (aligned with Spring Security’s OpenSAML 5 track) and updates UAA’s SAML wiring, metadata, logout, and tests to the OpenSaml5 APIs and the Shibboleth net.shibboleth.shared package relocation.
Changes:
- Bump OpenSAML dependency version to
5.1.6and constrain Shibboleth repo resolution to relevant groups. - Migrate SAML authentication, bearer grant, metadata, and logout codepaths from OpenSaml4-* to OpenSaml5-* APIs.
- Update tests and test utilities for OpenSAML 5 / Shibboleth shared package changes.
Reviewed changes
Copilot reviewed 21 out of 22 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/UaaInResponseToHandlingResponseValidatorTest.java | Updates mocks/generics to use OpenSaml5 response token types. |
| server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/TestCustomOpenSamlObjects.java | Switches Shibboleth XML utilities to net.shibboleth.shared and aligns comments/behavior with OpenSAML 5. |
| server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlMetadataEndpointKeyRotationTests.java | Adjusts test initialization to ensure OpenSAML is set up for metadata generation under OpenSAML 5. |
| server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/Saml2TestUtils.java | Updates SerializeSupport import to Shibboleth shared package. |
| server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/Saml2BearerGrantAuthenticationConverterTest.java | Updates serialization import and swaps OpenSaml4 assertion tokens to OpenSaml5 equivalents. |
| server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSaml5AuthenticationProviderUnitTests.java | Renames/retargets unit tests to OpenSaml5 provider and updates Spring Security registration builder API usage. |
| server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSaml5AuthenticationProviderUaaTests.java | Renames UAA integration tests class and resource reference to OpenSaml5 naming. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/UaaInResponseToHandlingResponseValidator.java | Rebinds the response validator wrapper to OpenSaml5 response token types. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlUaaResponseAuthenticationConverter.java | Updates converter to accept OpenSaml5 response token types. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlMetadataEntityDescriptorCustomizer.java | Migrates metadata customizer to OpenSaml5MetadataResolver and Shibboleth shared CriteriaSet. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlMetadataEndpoint.java | Uses OpenSaml5MetadataResolver for SAML SP metadata rendering. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfiguration.java | Updates OpenSAML initialization to OpenSAML 5 configuration APIs (PropertiesAdapter source). |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlAuthenticationFilterConfig.java | Swaps request/logout resolvers to OpenSaml5 and updates request matching to PathPatternRequestMatcher. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/Saml2Utils.java | Routes bearer decode errors through OpenSaml5 provider exception helper. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/Saml2BearerGrantAuthenticationConverter.java | Migrates parser pool import and switches all OpenSaml4 helpers/tokens to OpenSaml5. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSamlVerificationUtils.java | Updates Shibboleth CriteriaSet import and OpenSaml5 wording in docs. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSamlDecryptionUtils.java | Updates OpenSaml5 wording in docs (utility retained for custom provider). |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSaml5AuthenticationProvider.java | Implements OpenSAML 5 compatibility changes (package moves, validation API changes, address-check handling). |
| server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlLogoutResponseValidator.java | Updates delegate to OpenSaml5LogoutResponseValidator. |
| server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlLogoutRequestValidator.java | Updates delegate to OpenSaml5LogoutRequestValidator. |
| dependencies.gradle | Bumps versions.opensaml to 5.1.6. |
| build.gradle | Adds Shibboleth releases repo content filtering and updates the OpenSAML version pin rationale. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 21 out of 22 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
strehle
added
dependencies
strehle
changed the title
fhanik
approved these changes
May 5, 2026
github-project-automation
Bot
moved this from Inbox
to Pending Merge | Prioritized
in Foundational Infrastructure Working Group
github-project-automation
Bot
moved this from Pending Merge | Prioritized
to Done
in Foundational Infrastructure Working Group
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Spring Security 6.5.x uses versions
org-opensaml4 = "4.3.2"
org-opensaml5 = "5.1.2"
Latest opensaml5 would be 5.2.1, but this version pulls directly classes from non fips package and therefore not working - right now. - need to check / fix later.
Opesaml5 5.1.x we could proceed.
Up to this version, it is running with BC FIPS libraries.
At least a version that could work together with spring security 7.x and then boot 4.x
If we are on newer Spring Boot we should refactor and remove many of the custom classes
Created a PR on vt-middleware/cryptacular#84 so that we could update the dependency to latest opensaml 5.xx.x