Consider Supporting Externalized OpenSAML Initialization

[sumeetpri]

Hello Team,

I'm currently spring security 6.2 which internally uses OpenSAML 4.3 Java library to handle the SAML assertion received from the IDP. However, I've encountered an issue where OpenSAML relies on the bcprov-jdk18on library, which is not compliant with FIPS standards. I integrated bc-fips version 1.0.2.4. However, this change has led to numerous "class not found" errors, and the system is not functioning correctly.

Spring Security SAML uses OpenSAML 4.3 which has hard dependency with non FIPS library which makes Spring Security SAML as not useable for federal projects .

[sumeetpri]

Hi @jzheaux , looking forward for your input as software like spring security SAML becoming non fips compliance is major blocker to be used in federal project

[sumeetpri]

Please suggest if there is any alternative option available

[rwinch]

@sumeetpri Can you put together a minimal sample that reproduces the errors that you are seeing?

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[spring-projects-issues]

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.