Skip to content

Federated authentication using external identity providers #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
metacubed opened this issue Oct 15, 2021 · 5 comments
Closed

Federated authentication using external identity providers #462

metacubed opened this issue Oct 15, 2021 · 5 comments
Assignees
@jgrandja
Labels
for: stackoverflow A question that's better suited to stackoverflow.com

Comments

@metacubed
Copy link

metacubed commented Oct 15, 2021
edited
Loading

Is it possible to configure the Spring Authorization Server to delegate authentication to an external identity provider?

When configured, the "/login" endpoint of the Spring Authorization Server would serve a page showing various login options:

  • [ Log in using a local user ]
    • [ username ]
    • [ password ]
  • [ Log in using <Company> SSO ]
  • [ Log in using Google ]

Identity federation may be done using various protocols such as OIDC, SAML, LDAP, etc.
This also includes "Social Login", which is usually a special case of OIDC federation.

Consider adding documentation/samples that show how to implement this using Spring Authorization Server.
@metacubed metacubed added the type: enhancement A general enhancement label Oct 15, 2021
@jgrandja
Copy link
Collaborator

@metacubed Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

The quick answer is Yes, it is possible to configure multiple identity providers in order to federate authentication. However, this is a Spring Security concern, not Spring Authorization Server. You would use Spring Security to configure one or more AuthenticationProvider's.

The Spring Authorization Server sample configures formLogin() for the authentication mechanism. You would need to provide a custom security configuration that configures AuthenticationProvider's (SAML, LDAP, OIDC, etc.) with a custom login page for triggering the configured authentication mechanisms.

@jgrandja jgrandja self-assigned this Oct 18, 2021
@jgrandja jgrandja added for: stackoverflow A question that's better suited to stackoverflow.com and removed type: enhancement A general enhancement labels Oct 18, 2021
@metacubed
Copy link
Author

@jgrandja, my question was actually about federated login on the authorization server, not on the resource server. The goal is for resource servers to only trust tokens from a single authorization server (the Spring Auth Server).

Internally, the authorization server federates/delegates login to other identity providers. Once it receives a SAML assertion or OIDC token from these federated providers, it generates its own token based on those attributes.

Here's an example: https://docs.cloudfoundry.org/uaa/identity-providers.html

Would this functionality fit into the scope of this project? Please reopen this issue if so.

@jgrandja
Copy link
Collaborator

@metacubed

my question was actually about federated login on the authorization server, not on the resource server

I did not mention resource server in my previous comment?

I understand your main question is around federating login, which is a Spring Security concern, and would need to be configured as mentioned in previous comment:

You would need to provide a custom security configuration that configures AuthenticationProvider's (SAML, LDAP, OIDC, etc.) with a custom login page for triggering the configured authentication mechanisms.

@metacubed
Copy link
Author

I think we're still not on the same page, @jgrandja. In the Spring Security configuration, we would be configuring only one authentication provider i.e. the Spring Auth Server. Any login requests would go only to the Spring Auth Server.

Internally, the Spring Auth Server would redirect to other identity providers based on some configuration. Once this internal login completes, the Spring Auth Server issues its own token to the client.

The requester (Spring Security) will only see a token from the Spring Auth Server, not from the external identity provider.

@jgrandja
Copy link
Collaborator

@metacubed I'll try to find time over the next couple of weeks to provide a sample since a few community members are looking for the same. Please track gh-106 for progress.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
for: stackoverflow A question that's better suited to stackoverflow.com
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@metacubed @jgrandja