Using Spring Security to convert a SAMl2.0 token into a JWT/OIDC

Question

I am working on a team that needs to add OIDC (JWT/id token) support to an existing Java Spring application using SAML2.0. Do you all have any suggestions or resources to help tackle this problem?

From the little research I have done, it sounds like there may be a way for us to convert a SAML2.0 token into a JSON Web Token/OIDC/ID Token. Is that a thing?

Sorry for any poor wording, I am a data scientist by nature so my software development skills are not strong.

Thank you all for any help you can provide.

Answer 1

it sounds like there may be a way for us to convert a SAML2.0 token into a JSON Web Token/OIDC/ID Token

This sounds like you are trying to exchange the SAML assertion for an access token. In that case, you can look at SAML assertion token grants. Another option is to treat your SAML assertion as a bearer token itself instead of converting it. I don't believe that Spring Security yet supports either of those, but it wouldn't hurt to add a ticket to start that conversation.

add OIDC (JWT/id token) support to an existing Java Spring application using SAML2.0

If I'm wrong in my understanding, though, and what you are saying is that you want to your app to be able to do the SAML SP handshake as well as the OIDC handshake, then Spring Security does support this. You can simply specify both mechanisms like so:

http
    .authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
    .oauth2Login(Customizer.withDefaults())
    .saml2Login(Customizer.withDefaults());

Each of these will ultimately have its own individual configurations necessary in order to coordinate correctly with your Identity Provider. See the links above for how to do this.

Also, there may be some reconciliation you need to do between the user that the Id Token represents and the user that the Assertion represents. That reconciliation will ultimately be up to you to do.