feat(saml): enhance SAML2 login success handling with improved user not found logging and provider reloading

Author: mjabascal10

backend/src/main/java/com/park/utmstack/config/saml/SamlRelyingPartyRegistrationRepository.java

@@ -14,7 +14,7 @@
 @Slf4j
 public class SamlRelyingPartyRegistrationRepository implements RelyingPartyRegistrationRepository {
 
-    private final Map<String, RelyingPartyRegistration> registrations = new ConcurrentHashMap<>();
+    private volatile Map<String, RelyingPartyRegistration> registrations = new ConcurrentHashMap<>();
     private final SamlProvidersLoader providersLoader;
 
     public SamlRelyingPartyRegistrationRepository(IdentityProviderConfigRepository jpaProviderRepository) {
@@ -24,7 +24,6 @@ public SamlRelyingPartyRegistrationRepository(IdentityProviderConfigRepository j
         SamlRegistrationBuilder registrationBuilder = new SamlRegistrationBuilder(encryptionKey, metadataFetcher);
         this.providersLoader = new SamlProvidersLoader(registrationBuilder);
 
-        // Load providers on initialization
         loadProviders(jpaProviderRepository);
     }
 
@@ -34,22 +33,30 @@ public RelyingPartyRegistration findByRegistrationId(String registrationId) {
     }
 
     public void reloadProviders(IdentityProviderConfigRepository jpaProviderRepository) {
-        registrations.clear();
-        loadProviders(jpaProviderRepository);
+        try {
+            registrations = loadActiveProviders(jpaProviderRepository);
+            log.info("SAML providers reloaded successfully: {} providers loaded", registrations.size());
+        } catch (Exception e) {
+            log.error("Failed to reload SAML providers - keeping previous configuration", e);
+        }
     }
 
     /**
      * Loads SAML providers using the specialized loader.
      * Delegates all async loading logic to SamlProvidersLoader.
+     * App will start without providers if loading fails.
      */
     private void loadProviders(IdentityProviderConfigRepository jpaProviderRepository) {
         try {
-            List<IdentityProviderConfig> activeProviders = jpaProviderRepository.findAllByActiveTrue();
-            Map<String, RelyingPartyRegistration> loadedRegistrations =
-                    providersLoader.loadProvidersAsync(activeProviders);
-            registrations.putAll(loadedRegistrations);
+            registrations = loadActiveProviders(jpaProviderRepository);
+            if (registrations.isEmpty()) {
+                log.warn("No active SAML2 providers found. SAML2 authentication will not be available.");
+            } else {
+                log.info("Successfully loaded {} SAML2 provider(s) on startup", registrations.size());
+            }
         } catch (Exception e) {
-            log.error("Error during SAML provider loading: {}", e.getMessage(), e);
+            log.error("Error during SAML provider loading - app will start without SAML2 authentication: {}",
+                    e.getMessage(), e);
         }
     }
 
@@ -68,4 +75,11 @@ private String getValidatedEncryptionKey() {
         return encryptionKey;
     }
 
+    private Map<String, RelyingPartyRegistration> loadActiveProviders(IdentityProviderConfigRepository repo) {
+        List<IdentityProviderConfig> activeProviders = repo.findAllByActiveTrue();
+        Map<String, RelyingPartyRegistration> loaded = providersLoader.loadProvidersAsync(activeProviders);
+        return new ConcurrentHashMap<>(loaded);
+    }
+
+
 }

backend/src/main/java/com/park/utmstack/security/saml/Saml2LoginSuccessHandler.java

@@ -12,7 +12,6 @@
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
-import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.web.util.UriComponentsBuilder;
 
@@ -22,9 +21,6 @@
 import java.net.URI;
 import java.util.Collection;
 import java.util.Objects;
-import java.util.Optional;
-
-import static com.park.utmstack.config.Constants.FRONT_BASE_URL;
 
 /**
  * Success handler for SAML2 login.
@@ -38,7 +34,6 @@ public class Saml2LoginSuccessHandler implements AuthenticationSuccessHandler {
 
     private final TokenProvider tokenProvider;
     private final UserRepository userRepository;
-    private final Saml2LoginFailureHandler failureHandler;
 
 
     @Override
@@ -48,14 +43,16 @@ public void onAuthenticationSuccess(HttpServletRequest request,
 
         String scheme = Objects.requireNonNullElse(request.getHeader("X-Forwarded-Proto"), request.getScheme());
         String host = Objects.requireNonNullElse(request.getHeader("Host"), request.getServerName());
-
         String frontBaseUrl = scheme + "://" + host;
 
         Saml2AuthenticatedPrincipal samlUser = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
         String username = samlUser.getName();
 
         User user = userRepository.findOneByLogin(username)
-                .orElseThrow(() -> new BadCredentialsException("The provided credentials do not match any active user account."));
+                .orElseThrow(() -> {
+                    log.warn("SAML2 authentication successful for '{}' but user not found in local database", username);
+                    return new BadCredentialsException("User not provisioned in local system");
+                });
 
         Collection<? extends GrantedAuthority> authorities = Objects.requireNonNull(user.getAuthorities())
                 .stream()
@@ -75,6 +72,7 @@ public void onAuthenticationSuccess(HttpServletRequest request,
                 .build()
                 .toUri();
 
+        log.info("SAML2 login successful for user: {}", username);
         response.sendRedirect(redirectUri.toString());
     }
 }