micro services authentication using SAML and Identity Provider

1
votes

We are working on the development of micro services for our domain.

We have a requirement to secure the micro services using SAML.

I read through the SAML docs and see that there would an Identity provider to which we have register our application (SP) and also we should connect to IdP for authentication. I understand that we need to establish a circle of trust or federation between them.

I tried using the Spring Security SAML extension and SSOCircle.com as IdP for authentication using the sample application provided. I was able to successfully authenticate accordingly.

My question is, in a micro services architecture, we have multiple services. Since it is not a monolithic we cannot just add one service as a SP to the IdP.

That means every micro service I have say, employee, department,sales etc should also be added as a separate SP application in IdP.

I am not sure if that makes sense or actually possible to do so.

If anyone has worked on a similar architecture/development can you please provide your thoughts on the best way to approach the security of micro services from the point of authentication.

Thanks, bstechie

1
single-sign-onsamlspring-samlsiteminder

1 Answers

2
votes

Two ways to do this:

  1. As you said, configure each micro-service as SP and each SP talk to IdP for SAML authentication.
    • This is suitable, if each micro-service has different set of users, groups and roles than others.
    • There could be multiple SPs, which admin need to maintain.
  2. Consolidate and configure all micro-services to single SP at your domain (may be use Reverse Proxy Web-Server or Access Manager) and that single SP talk to IdP for SAML authentication.
    • This is suitable, if all micro-service has same set of users, groups and roles.
    • There could be only single SP that admin need to maintain.