Spring SAML credentials and platform accounts

Question

I was able to integrate Spring Boot and Spring Security SAML by using the @ImportResource annotation.

Now, I'd like to go on as follows:

1. the user selects an IdP [DONE].
2. it performs the login (successful) [DONE].
3. the SP obtains user data (by parsing the SAMLCredential object) [DONE].
4. the webapp had to check if the userID (e.g email) retrieved via SAML exists in my own DB.
5. a) If yes, the webapp reads from the DB the role and sets related privileges.
   b) If no, the webapp had to perform a redirect to a sign-up page, in order to insert the user into the system.

Make it sense perform the points 4 and 5 by using a UserDetailsService implementation or have I to setup the security context defining authentication providers, filters, etc?

Answer 1

You should implement org.springframework.security.saml.userdetails.SAMLUserDetailsService and plug it into the samlAuthenticationProvider bean. In case user doesn't exist you should throw UsernameNotFoundException exception, otherwise just populate and return data from your DB.

On top of that you should implement your own org.springframework.security.web.authentication.AuthenticationFailureHandler and plug it into samlWebSSOProcessingFilter bean. This implementation will be called with the UsernameNotFoundException sent as a parameter and you can then redirect the user to the correct sign-up page as a reaction to it.