saml2Login Honors AuthenticationProvider bean

Closes gh-13654

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -269,6 +269,9 @@ public void init(B http) throws Exception {
 			}
 		}
 		this.initDefaultLoginFilter(http);
+		if (this.authenticationManager == null) {
+			registerDefaultAuthenticationProvider(http);
+		}
 	}
 
 	/**
@@ -284,10 +287,7 @@ public void configure(B http) throws Exception {
 		filter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(http));
 		http.addFilter(postProcess(filter));
 		super.configure(http);
-		if (this.authenticationManager == null) {
-			registerDefaultAuthenticationProvider(http);
-		}
-		else {
+		if (this.authenticationManager != null) {
 			this.saml2WebSsoAuthenticationFilter.setAuthenticationManager(this.authenticationManager);
 		}
 	}
@@ -361,7 +361,10 @@ private AuthenticationConverter getAuthenticationConverter(B http) {
 	}
 
 	private void registerDefaultAuthenticationProvider(B http) {
-		http.authenticationProvider(postProcess(new OpenSaml4AuthenticationProvider()));
+		OpenSaml4AuthenticationProvider provider = getBeanOrNull(http, OpenSaml4AuthenticationProvider.class);
+		if (provider == null) {
+			http.authenticationProvider(postProcess(new OpenSaml4AuthenticationProvider()));
+		}
 	}
 
 	private void registerDefaultCsrfOverride(B http) {

config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java

@@ -43,6 +43,7 @@
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
@@ -60,6 +61,7 @@
 import org.springframework.security.saml2.core.Saml2Utils;
 import org.springframework.security.saml2.core.TestSaml2X509Credentials;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
+import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
@@ -358,6 +360,15 @@ public void getFaviconWhenDefaultConfigurationThenDoesNotSaveAuthnRequest() thro
 				.andExpect(redirectedUrl("http://localhost/saml2/authenticate/registration-id"));
 	}
 
+	@Test
+	public void saml2LoginWhenCustomAuthenticationProviderThenUses() throws Exception {
+		this.spring.register(CustomAuthenticationProviderConfig.class).autowire();
+		AuthenticationProvider provider = this.spring.getContext().getBean(AuthenticationProvider.class);
+		this.mvc.perform(post("/login/saml2/sso/registration-id").param("SAMLResponse", SIGNED_RESPONSE))
+				.andExpect(status().isFound());
+		verify(provider).authenticate(any());
+	}
+
 	private void performSaml2Login(String expected) throws IOException, ServletException {
 		// setup authentication parameters
 		this.request.setRequestURI("/login/saml2/sso/registration-id");
@@ -668,6 +679,29 @@ Saml2AuthenticationTokenConverter authenticationTokenConverter() {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	@EnableWebMvc
+	@Import(Saml2LoginConfigBeans.class)
+	static class CustomAuthenticationProviderConfig {
+
+		private final OpenSaml4AuthenticationProvider provider = spy(new OpenSaml4AuthenticationProvider());
+
+		@Bean
+		SecurityFilterChain web(HttpSecurity http) throws Exception {
+			http.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
+					.saml2Login(Customizer.withDefaults());
+
+			return http.build();
+		}
+
+		@Bean
+		AuthenticationProvider provider() {
+			return this.provider;
+		}
+
+	}
+
 	static class Saml2LoginConfigBeans {
 
 		@Bean