Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Select Identity Provider Locally with Spring Security's SAML 2.0

Tags:

java

spring

spring-security

saml-2.0

spring-security-saml2

I'm using Spring Security's SAML 2.0 to connect my service provider to multiple identity providers.

Everything in Spring's SAML 2.0 documentation makes sense. I have read many helpful tutorials including this one, which are similar to my existing code.

However, I am missing where and how to select an identity provider for a given user.

I understand SAMLDiscovery can be used to delegate the identity provider selection to a third party service. I also understand how to configure multiple identity providers. But I'm looking for a way to run my own code (i.e. check a database) and then trigger a SAML request for the chosen identity provider (not a third party service). I would expect this around the time SAMLEntryPoint is hit. I have seen mention of specifying EntityID in the initial request. Is this related?

I am attempting to perform SP-initiated SAML 2.0 SSO. Can someone please point me toward where I can manually specify an IdP based on the current user?

like image 737
Matt Goodrich Avatar asked Nov 10 '21 04:11

Matt Goodrich

People also ask

What is a SAML 2.0 Identity Provider?

SAML 2.0 (Security Assertion Markup Language) is an open standard created to provide cross-domain single sign-on (SSO). In other words, it allows a user to authenticate in a system and gain access to another system by providing proof of their authentication.

How SAML works with spring?

It uses XML-based messages for the communication between the IdP and the SP. In other words, when a user attempts to access a service, he's required to log in with the IdP. Once logged in, the IdP sends the SAML attributes with authorization and authentication details in the XML format to the SP.

What is service provider and Identity Provider in SAML?

A service provider needs the authentication from the identity provider to grant authorization to the user. An identity provider performs the authentication that the end user is who they say they are and sends that data to the service provider along with the user's access rights for the service.

1 Answers

As far as I know, SAML doesn't offer any mechanism for what you want. SAML discovery is used to find out which IdP exist for your application.

Your problem is that you don't know who the user is before it tries to log in and when he does, it means that he already know which IdP he wants to use.

So you have these options:

  1. Most common. Use a landing page that lets the user select which IdP to use. For example, Epic games lets you select the IdP from a list of 8. Once the user selects it, then you are good to go, by directing his request to the correct IdP.
  2. If you know in advance which user belongs to which IdP then you can have a page that lets the user enter his username only. Once he does this, you can check in your DB to which IdP this user belongs to and send a redirect message back to the browser. While this works, it will not allow the user to select which IdP it wants to use, putting this job on the shoulders of the backend.
  3. Do step 2 once and save a cookie in the user's browser. Then, when the user tries to log again in another session from the same machine, you can automatically redirect him to the right IdP. Using this option, everything is done automatically and except for the first time.

One thing to consider. From a security standpoint giving a hacker any info is a bad practice and so option 2,3 do reveal to a hacker which IdP belongs to which user. IMO this is not such a big breach and can be implemented.

like image 91
Itamar Kerbel Avatar answered Oct 21 '22 19:10

Itamar Kerbel
Sign in to Comment

Related questions

Why is an autowired controller always null in junit5 tests?
How to use a Spring Cloud Gateway Custom Filter to filter every request?
How to open url in external browser on Tap on android push notifications?
How to solve "Waiting until last debugger command completes" stuck in Android Studio?
How to abort long running invokeMethod on com.sun.jdi.ObjectReference?
Error from promtheus in java (spring acuator)
How to resolve org.testcontainers.containers.ContainerFetchException on Spring Boot?
Life span and injection of @SessionAttributes object in Spring MVC
Need help about wildcard generic types in Java
Getting the lines of each paragraphs of a docx with Apache-POI
can we change status bar or notification bar position programmatically
Firebase dynamic link doesn't invoke dynamic link on first launch after install
Apple AWT Internal Exception: NSWindow drag regions should only be invalidated on the Main Thread
Is casting the class returned by getClass() of a generic instance type always safe in Java?
Multi Module Maven Project and Docker: Cannot find artifact?
Updating the kerberors krb.conf file using "java.security.krb5.conf" System.property() is not working
Shell script exit too early due to docker pull, while running through ProcessBuilder
TTS: How to convert text into SSML?
REST API is always throwing 404 error in Spring boot maven multimodule project with H2 database
Mocking external dependencies in Spring Boot integration tests

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!