SSO: bind password-authenticated users to SAML IdP.

[fisx]

The Problem

Given a user authenticated with password and email (or with an old IdP about to be decomissioned), you want to authenticate this user via a new SAML IdP in the future. This change of authentication is called binding.

The proposed Solution

What happens behind the scenes (on the protocol level, basic idea):

1. The user authenticates with her old credentials.
2. Now, she requests a SAML 'AuthnRequest' from the wire backend for the new IdP.
3. She jumps through the hoops of authenticating to wire with thew new IdP, but presenting the wire session cookie obtained in 1. in all requests to the wire backend.
4. Wire obtains the AuthnResponse from the new IdP together with the valid wire session cookie, and can therefore safely bind the user to the new IdP.

Status

The backend part is implemented (see test suite).

However, this needs integration testing against frontend(s) before it can be considered fully implemented, and there implementing this on any client is not scheduled at the time of writing this issue.

One client platform (eg., web) may be enough, since users are only required to use that platform once, for the actual binding process.