Clever Geek Handbook

Spring Security: different authentication methods based on entity

first post here wishing im doing it right.

In a project, we have a scenario where we have one web application with multiple objects. The login is currently managed by the default JDBC Spring Security Provider, working fine.

For the new requirement, we need each object to be able to have its own login method (there are currently 2 methods available, one is JDBC current, the second is SAML authentication, with each object defining their own IdP, but that's another story)

I need some guidance on how this can be achieved, I did some searches and I found vendors for different urls, etc. But not different login methods for the same app and url depending on the type of user or object.

Is it a good approach to create a custom single sign-on point where we can authenticate the user of an object and then use a suitable authentication provider?

Respectfully,

Alex

+3


source to share


1 answer


Since each of your users may be using a different IDP, you need to define a username anyway before starting to initialize the authentication process, but you already know that.

One approach to use (similar to what Microsoft uses with Office 365 Enterprise):

  • display login page with field for standard username and password
  • Once the user enters the username and blurs the input field, you make an AJAX call (for your custom API built for this purpose) and retrieve the authentication type + IDP information to use for that user.
  • In case the type is password, you just let the user continue to fill in the password field and POST in the same place you are used to handling with the JDBC provider.
  • in case the type is federated authentication, are you initializing the authentication with the correct IDP by redirecting to / saml / login? idp = xyz and continuing the SAML stream


You can avoid any APIs by submitting the form after the user enters their username, or let the user click the Continue button. It would then be wise to use a custom EntryPoint, which:

  • redirects the user to the main login page if not specified with a username
  • displays login page with username / password or redirects to correct IDP after username has been specified
+3


source






More articles:


All Articles