Add Registration to Saml2Authentication

Closes gh-9487

Author: jzheaux

docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc

@@ -107,6 +107,7 @@ where
 * `https://idp.example.com/issuer` is the value contained in the `Issuer` attribute of the SAML responses that the identity provider will issue
 * `classpath:idp.crt` is the location on the classpath for the identity provider's certificate for verifying SAML responses, and
 * `https://idp.example.com/issuer/sso` is the endpoint where the identity provider is expecting `AuthnRequest` s.
+* `adfs` is <<servlet-saml2login-relyingpartyregistrationid, an arbitrary identifier you choose>>
 
 And that's it!
 
@@ -196,6 +197,7 @@ image:{icondir}/number_10.png[] And finally, it takes the `NameID` from the firs
 Then, it places that principal and the authorities into a `Saml2Authentication`.
 
 The resulting `Authentication#getPrincipal` is a Spring Security `Saml2AuthenticatedPrincipal` object, and `Authentication#getName` maps to the first assertion's `NameID` element.
+`Saml2AuthenticatedPrincipal#getRelyingPartyRegistrationId` holds the <<servlet-saml2login-relyingpartyregistrationid,identifier to the associated `RelyingPartyRegistration`>>.
 
 [[servlet-saml2login-opensaml-customization]]
 ==== Customizing OpenSAML Configuration
@@ -410,6 +412,10 @@ open fun relyingPartyRegistrations(): RelyingPartyRegistrationRepository? {
 ----
 ====
 
+[[servlet-saml2login-relyingpartyregistrationid]]
+[NOTE]
+The `registrationId` is an arbitrary value that you choose for differentiating between registrations.
+
 Or you can provide each detail manually, as you can see below:
 
 .Relying Party Registration Repository Manual Configuration

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/DefaultSaml2AuthenticatedPrincipal.java

@@ -34,11 +34,14 @@ public class DefaultSaml2AuthenticatedPrincipal implements Saml2AuthenticatedPri
 
 	private final Map<String, List<Object>> attributes;
 
+	private String registrationId;
+
 	public DefaultSaml2AuthenticatedPrincipal(String name, Map<String, List<Object>> attributes) {
 		Assert.notNull(name, "name cannot be null");
 		Assert.notNull(attributes, "attributes cannot be null");
 		this.name = name;
 		this.attributes = attributes;
+		this.registrationId = null;
 	}
 
 	@Override
@@ -51,4 +54,14 @@ public Map<String, List<Object>> getAttributes() {
 		return this.attributes;
 	}
 
+	@Override
+	public String getRelyingPartyRegistrationId() {
+		return this.registrationId;
+	}
+
+	public void setRelyingPartyRegistrationId(String registrationId) {
+		Assert.notNull(registrationId, "relyingPartyRegistrationId cannot be null");
+		this.registrationId = registrationId;
+	}
+
 }

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticatedPrincipal.java

@@ -22,6 +22,7 @@
 
 import org.springframework.lang.Nullable;
 import org.springframework.security.core.AuthenticatedPrincipal;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.CollectionUtils;
 
 /**
@@ -66,4 +67,13 @@ default Map<String, List<Object>> getAttributes() {
 		return Collections.emptyMap();
 	}
 
+	/**
+	 * Get the {@link RelyingPartyRegistration} identifier
+	 * @return the {@link RelyingPartyRegistration} identifier
+	 * @since 5.6
+	 */
+	default String getRelyingPartyRegistrationId() {
+		return null;
+	}
+
 }

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java

@@ -41,6 +41,12 @@ public class Saml2Authentication extends AbstractAuthenticationToken {
 
 	private final String saml2Response;
 
+	/**
+	 * Construct a {@link Saml2Authentication} using the provided parameters
+	 * @param principal the logged in user
+	 * @param saml2Response the SAML 2.0 response used to authenticate the user
+	 * @param authorities the authorities for the logged in user
+	 */
 	public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response,
 			Collection<? extends GrantedAuthority> authorities) {
 		super(authorities);

saml2/saml2-service-provider/src/opensaml3Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java

@@ -424,8 +424,11 @@ public static Converter<ResponseToken, Saml2Authentication> createDefaultRespons
 			Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
 			String username = assertion.getSubject().getNameID().getValue();
 			Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
-			return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
-					token.getSaml2Response(), Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")));
+			DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal(username, attributes);
+			String registrationId = responseToken.token.getRelyingPartyRegistration().getRegistrationId();
+			principal.setRelyingPartyRegistrationId(registrationId);
+			return new Saml2Authentication(principal, token.getSaml2Response(),
+					Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")));
 		};
 	}
 
@@ -626,8 +629,10 @@ private Converter<ResponseToken, Saml2Authentication> createCompatibleResponseAu
 			Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
 			String username = assertion.getSubject().getNameID().getValue();
 			Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
-			return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
-					token.getSaml2Response(),
+			DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal(username, attributes);
+			String registrationId = responseToken.token.getRelyingPartyRegistration().getRegistrationId();
+			principal.setRelyingPartyRegistrationId(registrationId);
+			return new Saml2Authentication(principal, token.getSaml2Response(),
 					this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)));
 		};
 	}

saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java

@@ -425,8 +425,11 @@ public static Converter<ResponseToken, Saml2Authentication> createDefaultRespons
 			Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
 			String username = assertion.getSubject().getNameID().getValue();
 			Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
-			return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
-					token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER"));
+			DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal(username, attributes);
+			String registrationId = responseToken.token.getRelyingPartyRegistration().getRegistrationId();
+			principal.setRelyingPartyRegistrationId(registrationId);
+			return new Saml2Authentication(principal, token.getSaml2Response(),
+					AuthorityUtils.createAuthorityList("ROLE_USER"));
 		};
 	}