Our application's single sign-on works with a federated identity provider (IdP) where the IdP selection is based on query parameters or path variables, such as https://
We have identified three cases:
Case 1: When the IdP is already configured as /saml2/authenticate/okta.
Case 2: Discover IDP By a query parameter, such as /idplogin?customerid=1234.
Case 3: Discover IDP By a path variable, such as /my-application/login/1234.
We are aware that one possible solution is to have a REST controller to handle the URL resolution and redirection. However, we would like to know if there is a way to configure or dynamically resolve the authentication request.
Is there any solution where authentication request can be configured or resolved dynamically to support above scenario. Can we write custom request resolver ?
Comment From: sumeetpri
@jzheaux @marcusdacoregio - looking for you help if you could give some input , I will start exploring .
Comment From: marcusdacoregio
Hi @sumeetpri, have you tried declaring a bean instance of Saml2AuthenticationRequestResolver to be picked up by Saml2WebSsoAuthenticationRequestFilter? Something like this:
@Bean
Saml2AuthenticationRequestResolver saml2AuthenticationRequestResolver(RelyingPartyRegistrationRepository repository) {
RelyingPartyRegistrationResolver resolver = new MyRelyingPartyRegistrationResolver(repository);
resolver.setRequestMatcher(new OrRequestMatcher(AntPathRequestMatcher.antMatcher("/saml2/authenticate/{registrationId}",
"/idplogin", "/my-application/login/{registrationId}")));
OpenSaml4AuthenticationRequestResolver requestResolver = new OpenSaml4AuthenticationRequestResolver(
resolver);
return requestResolver;
}
Comment From: sumeetpri
Thank you @marcusdacoregio , having own RelyingPartyRegistrationResolver and setting request matcher gives wide flexibility to resolve IDP by query or by path parameter.
Solved !