Programmatic IDP login with redirect to SP
lord_jorge Dec 27, 2013 6:52 AMHi all
I have a specific situation where I have a set of applications (ears/wars) in the SAAS architecture, where for each client of these apps we have a database, that we call as domain, using the "tenant per database" approach. I also have a central database where the users/credentials are stored, along with the relation of the domains that each user can access, but the collection of roles need to be stored in each tenant. So we can achieve the following scenario:
The "User 1" can access the domain "Customer A" and inside it he has the roles "Role X", "Role Y" & "Role Z".
The "User 1" can access the domain "Customer B" and inside it he has only the roles "Role X" and "Role W".
The "User 2" can access only the domain "Customer B" and inside it he has his own set of roles.
And so on...
For it to be possible, the first step was to encapsulate all this complexity in a IDP and simplify the job for the SPs. Inside the IDP, we had to blow up the login process in the following steps:
1. Request and validate the user credentials; (OK)
2. Load the list of the domains that this user can access; (OK)
3. Show the domains in a drop down menu for him to pick one; (OK)
4. Once choosen, load the roles he has in that domain; (OK)
5. Redirect the user to the original Request (NOK);
As you can see, after a bit of (should I say painfull) research I got achieved the most part of the job. For that, I had to write my own LoginModule and to perform a programmatic authentication against the j_security_check from my LoginController managed bean using HttpServletRequest.login(username, password).
And everything is working fine (almost):
The first time I access my SP I'm redirected to the login page from IDP and the authentication from the managed bean is working as I expected. The only problem is that I'm not able to redirect the user to the original request, holding the user inside my IDP, thats because I dont know how to programmatic redirect the user to the original request after I perform the authentication in the MBean.
I think the SAML is working fine because if I rewrite the URL to the SP again then I can access the protected resources. My only need is to catch original URL in the managed bean to redirect the user to the SP after the successfull authentication. It would be important also if I could catch the URI parameters, cause sometimes I want send some generated URLs to the user by email, like:
"http://serviceProvicer-Abc:1234/foo/bar.jsf?domain=abc&invoiceId=09876"
In that case, I have parameters that I want to use in the IDP (domain) and parameters that belongs to the Service Provider (invoiceId), that should be present in the redirection.
Does anyone knows how to achieve this last part of the job?
Regards and Happy new year for everyone.