1

I was able to integrate Spring Boot and Spring Security SAML by using the @ImportResource annotation.

Now, I'd like to go on as follows:

  1. the user selects an IdP [DONE].
  2. it performs the login (successful) [DONE].
  3. the SP obtains user data (by parsing the SAMLCredential object) [DONE].
  4. the webapp had to check if the userID (e.g email) retrieved via SAML exists in my own DB.
  5. a) If yes, the webapp reads from the DB the role and sets related privileges.
    b) If no, the webapp had to perform a redirect to a sign-up page, in order to insert the user into the system.

Make it sense perform the points 4 and 5 by using a UserDetailsService implementation or have I to setup the security context defining authentication providers, filters, etc?

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
vdenotaris
  • 13,297
  • 26
  • 81
  • 132

1 Answers1

2

You should implement org.springframework.security.saml.userdetails.SAMLUserDetailsService and plug it into the samlAuthenticationProvider bean. In case user doesn't exist you should throw UsernameNotFoundException exception, otherwise just populate and return data from your DB.

On top of that you should implement your own org.springframework.security.web.authentication.AuthenticationFailureHandler and plug it into samlWebSSOProcessingFilter bean. This implementation will be called with the UsernameNotFoundException sent as a parameter and you can then redirect the user to the correct sign-up page as a reaction to it.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • You're welcome V. If you're satisfied with the answer, please accept it by clicking on the check mark beside the answer to toggle it from hollow to green. – Vladimír Schäfer Apr 28 '14 at 12:01
  • Is there a way to pass the nameID (from SAMLCredential object) to the failure handler in order to set a model attribute of the redirect page? – vdenotaris Apr 28 '14 at 13:52
  • 1
    The UsernameNotFoundException has a constructor with "extraInformation" field. Just put it there and load from the exception once in your failureHandler. – Vladimír Schäfer Apr 28 '14 at 13:59
  • Ok, it works, but I'm seeing that this constructor is deprecated. Do you know if there is a properly way to perform this passage according to the Spring best practices? – vdenotaris Apr 28 '14 at 14:07
  • 1
    As it says in the exception's documentation: "Use the exception message or use a custom exception if you really need additional information", in other words you can extend the UsernameNotFoundException with your own which allows you to store the NameID and throw it instead. – Vladimír Schäfer Apr 28 '14 at 14:14