Routing to Angular component after Jersey & Spring SAML Security SSO Validation

Question

I am working on an app which is using Angular as frontend and Jersey Integrated with Spring SAML Security for SSO Authentication.

I tried to invoke the app from Angular (http://localhost:4200) which will call an API call to Jersey Project which will return me an URL (Jersey Server related URL) to hit the server to display the IDP login page. After login to IDP, it is routing me back to the server, from here I want to redirect the response to Angular to display the home screen.

Used below in Angular component which will use (https://localhost/saml/login) to hit Jersey

window.location.href =  samlObject.url;

After login completion, I am landing at https://localhost/loginComplete which must be routed to http://localhost:4200/home

Please suggest any possible solutions.

Answer 1

1. When you visit your site - GET call to http://localhost:4200 -> local webserver responds with angular's index.html and then bundled js executes and decides what to show. With your Auth mechanism bundled angular's js code realizes auth is missing, according to the fallback plan what you wrote there it redirects to IDP(In between you ask your server for IDP's url). (All this process happening in browser.)
2. Hitting the auth - GET call to IDP's login (now you are leaving your angular app and showing IDP's frontend). Posting your credentials and login (IDP's frontend calls IDP's Backend and login in). (All of it happens in your browser) Then
3. (Here I am guessing you registered a post auth redirect url which is owned by your backend.) That makes a GET call to your backend. If your rest controller responds something then it will be displayed in your browser.

Now...

Who actually logged in? user

Who represent your user? frontend -> angular

Did backend logged in? No

Does backend represent anyone? No

Backend for every user. Any authorized api call means backend is going to act behalf of that user (what ever specified in auth) temporarily. When API call ends backend stops acting.

To correct your flow. You need to redirect to your frontend after login. There fore redirect url while you register your app with IDP must be your frontend's route. This url can be a component having a route in your angular app. Something like http://localhost:4200/login

For OAuth SAML flow we receive a temporary - use only once authcode at frontend. That we will give it to backend and ask to convert that to access token, id token, refresh token etc. Then it depends on you, you can look inside id token (Parse JWT) and add new user information pack it again to JWT. You can give it back to angular by sending it back as response to the api call that passed authcode.

But... lot of things changed during recent years.

Now SPAs are considered like an App but an insecure one (lol)

So there is a best practices guide: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13

---

Short Answer: Redirect to your angular app from IDP not to your backend

---

Learning bigger set OAuth 2.0 is always a good idea. That will cover SAML flow + lot of other things. With that you can understand SAML flow implementations in other systems as well. It is a pain but you got covered by community. https://github.com/manfredsteyer/angular-oauth2-oidc is a savior for angular indeed.