Idea Summary
Would like to be able to control the SAML authentication process to:
1. Perform custom authentication that bounces one of the SAML assertion attributes off of a database table.
2. On successful custom authentication, use a single APEX account as a proxy login to the database session.
Use Case
SAML passes back a unique person identifier (think SSN) that gets matched to a database table of identities (similar to a LDAP) and is used to set APP_USER, etc. A single APEX account is used to log in to the database session. No need for hundreds of APEX accounts to match ADFS/SAML accounts.
Preferred Solution (Optional)
Ability to replace or customize SAML_CALLBACK. If the internals of SAML_CALLBACK were exposed via individual API's that could be incorporated into a custom procedure (say, SAML_AUTH), and SAML_AUTH could be used as the callback for the SAML connection.