Using Spring SAML Extension implementing identity federation

Question

We are trying to use Spring SAML Extension to implement identity federation which is a use case described in Security Assertion Markup Language (SAML) V2.0 Technical Overview (5.4.3 Federation Using Persistent Pseudonym Identifiers).

Our application try to associate remote users with local accounts(in out app) for SSO between business partners. Our application is a SP and partner's application is a IDP.

In this scenario, if a user attempt to access secure resource and does not have logon session on our app, the SP will redirect user to IDP. After user is authenticated at IDP site, a HTTP request will send to SP Assertion Consumer Service with a name identifier. At SP site, if the name identifier was not mapped to a local account, our app will present a login page to challenge user to provide local identity of our app. After user provider valid credential then a local session is created and user can access secure resource. Also a federation of two account (SP and IDP) is created and persisted.

I have searched many examples but have not found a configuration that clearly describes what I need. I have not found a Spring document that describes how I can implement this.

Basically, my questions are how to create/config custom login screens and persist this identity federation. Any thoughts, examples or documents?

btw, this is very similar to Account Linking in Ping federation.

Thanks for any help, much appreciated.

Answer 1

One approach to go about it is to:

• implement a custom SAMLUserDetailsService which maps content of the Assertion (persistent NameID) to the local account
  • in case the local account exists it populates e.g. a UserDetails object with user's data and adds a GrantedAuthority e.g. ROLE_FULL_ACCESS
  • otherwise it returns an object which indicates that local account is missing, but doesn't throw an exception
• implement a custom AuthenticationSuccessHandler which detects whether user has a local account (based on the Authentication object with data populated from the SAMLUserDetailsService)
  • in case user has a local account continue to the default page
  • otherwise redirect user to page with challenge for linking of the local identity
• implement e.g. an MVC Controller, or another Spring Security authentication endpoint which accepts callback from the local identity linking page (with user's credentials to the local account)
  • store the link between persistent ID and local account
  • update the current Authentication object with the new UserDetails object reflecting the selected local account
  • redirect user to the default page

Content which should be available only to fully authenticated users (i.e. users with local account) should be secured with role ROLE_FULL_ACCESS, so it cannot be accessed by users who authenticated using the IDP, but who haven't performed the linking yet.