Spring Security multiple authentication provider not getting to the second one

Question

I have an app that uses Spring Security, was using a custom authentication provider just fine. I need to add a SAML IDP into the mix now. So I got the sample SAML application up and running and I use that security context as a base. I have my manager defined like this:

 <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="myAuthenticationProvider" />
    <security:authentication-provider ref="samlAuthenticationProvider"/>
 </security:authentication-manager>

Now when I submit my login form with a username/passeord that is only in the SAML IDP, I can see from the logs that it calls myAuthenticationProvider, which then throws a BadCredentialsException, then nothing. I don't see any other exception, and not a peep out of the SAMLAuthenticationProvider.

I have read the documentation a few times, and it seems to indicate this can be done, but I don't see an example. Does anyone have an example of using SAML and BasicAuthentication?

Answer 1

I don't think you need to add an extra authentication provider for a new IDP. You just need to add a new ?? in your CachingMetadataManager Bean. In the securityContext.xml provided in the sample app:

<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <!-- Example of classpath metadata with Extended Metadata -->
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
                        <constructor-arg>
                            <bean class="java.util.Timer"/>
                        </constructor-arg>
                        <constructor-arg>
                            <bean class="org.opensaml.util.resource.ClasspathResource">
                                <constructor-arg value="/metadata/idp.xml"/>
                            </bean>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
            </bean>

            <!-- Example of HTTP metadata without Extended Metadata -->
            <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                <!-- URL containing the metadata -->
                <constructor-arg>
                    <value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
                </constructor-arg>
                <!-- Timeout for metadata loading in ms -->
                <constructor-arg>
                    <value type="int">15000</value>
                </constructor-arg>
                <property name="parserPool" ref="parserPool"/>
            </bean>

            <!-- Example of file system metadata without Extended Metadata -->
            <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                <constructor-arg>
                    <value type="java.io.File">/usr/local/metadata/idp.xml</value>
                </constructor-arg>
                <property name="parserPool" ref="parserPool"/>
            </bean>

        </list>
    </constructor-arg>

</bean>

If you un-comment the second bean in the list, it will enable another IDP specified in the xml file provided at /usr/local/metadata/idp.xml. If you want to add the metadata of another IDP over http, just copy the one for ssocircle and make adjustments.