Announcement Announcement Module
Collapse
No announcement yet.
OAuth2 vs. SAML2 - more than one authenticationProvider on same url-pattern Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • OAuth2 vs. SAML2 - more than one authenticationProvider on same url-pattern

    We have a problem using SAML2 and OAuth2 together. This is the flow we try to achive;

    ----------------------
    Web browser
    ----------------------

    |
    token request
    |
    v
    ----------------------
    authorization-server
    ----------------------


    |
    authn-request
    |
    v
    ----------------------
    saml2-idp
    ----------------------

    |
    authn-response
    |
    v
    ----------------------
    auhtorization-server
    ----------------------

    |
    token
    |
    v
    ----------------------
    Web browser
    ----------------------


    The user requests a token from the authorization server. The authorization server will have to check if the user is authenticated with the saml2-idp. So it redirects to the saml2-idp and redirects back to the authorization when the user is authenticated. The user then recieves a token from the authorization-server.

    We'v managed to set up both OAuth2 and SAML2 in our authorization-server. We use spring security and these things work when they are mapped to different URL-patterns. What we now try to do is putting SAML2 in front of OAuth2. Hence the problem.

    OAuth is configured as follows:
    Code:
        <http pattern="/oauth/token" create-session="stateless"
              authentication-manager-ref="clientAuthenticationManager"
              xmlns="http://www.springframework.org/schema/security">
            <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
            <intercept-url pattern="/oauth/authorize" access="IS_AUTHENTICATED_FULLY" />
            <anonymous enabled="false" />
            <http-basic entry-point-ref="clientAuthenticationEntryPoint" />
            <!-- include this only if you need to authenticate clients via request parameters -->
            <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
            <access-denied-handler ref="oauthAccessDeniedHandler" />
        </http>
    SAML is configured as follows:
    Code:
       <security:http pattern="/**" entry-point-ref="samlEntryPoint">
            <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
            <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
        </security:http>
    
        <bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
            <security:filter-chain-map request-matcher="ant">
                <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
                <security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
                <security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
                <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
                <security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
                <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
                <security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
            </security:filter-chain-map>
        </bean>
    In Spring Security it's not possible to mix different authentication providers, so we where thinking it could be a sloution to put som sort of SAML-filter in the OAuth filter chain, but we'v been unsuccesful in our approaches so far.

    Any ideas on how this can be done?

  • #2
    Hi

    did you find how to do it?
    Seems like I encounter the same challenge


    Thanks!
    Ohad

    Comment

    Working...
    X