WebSphere - is it possible to have SAML TAI with fallback form-based authentication?

Question

We've got a web application running in a WebSphere App Server 8.5.5 environment that we're currently authenticating against a database table. We're now changing things to authenticate with SAML against an ADFS IdP. Here's the rub: some users might not exist in the ADFS (the AD behind the ADFS). So the scenario I believe we want is either:

1) If we receive a SAML response with failed authentication, fallback to form-based authentication

or

2) Somehow have 2 entry points into the application, 1 SAML-driven and the other starts with form-based login.

Has anyone come up against this same scenario, and are either of the above possible solutions workable in WebSphere 8.5.5?

Answer 1

In WebSphere SAML service provider (SP) implementation, upon detecting received SAMLResponse is in valid, SP redirects user to a pre-configured login page (start a new SSO), or an error page. Doing this can sure user is always authenticated by SAML IdP, and authenticated subject always contains SAML for propagation and other post processing.

SAML SP supports filter, and only accept requests that satisfy conditions defined in filter. You can define filter condition that should be ignored by SAML, and you can use URL pattern, or any http header name as filtering condition.

If filter can not meet your requirement, we could further evaluate other options.