How to build a Spring MVC based application to connect with any service provider to do the SSO

0
votes

We want to build one spring MVC based application which will support below use case:

  1. User access the application URL to login into application.
  2. Once the valid credentials are entered to login into application, the user can access any of the service provider application for performing SSO.
  3. On the access of any service provider application the SAML response should be generated and post to the Service provider ACS(Assertion consumer service) URL.
  4. Also in addition to IDP initiated SSO, it should also support SP initiated SSO where the authentication request will we posted to the application login page, after valid credentials are entered by user, the application should redirect to service provider(which have posted the authentication request).

The application should have its own login page and authentication mechanism, it should not redirect to any other identity provider for authentication.

Should we use normal Spring MVC based application which will generated the SAML response using open SAML library, or any other SAML builder can be used for satisfying the above use case.

1
spring-mvcsingle-sign-onsaml-2.0shibbolethopensaml

1 Answers

0
votes

This basically means - your app bundles a SAMLv2 compliant IdP (please don't try to build one yourself based on some SAML lib) - your app calls an API of the IdP for authentication and issues a session token the IdP will recognize later on (otherwise authentication will always happen again when another application (acting as SAMLv2 SP) wants to perform SSO

Issue with the latter: The "token" will most likely be a cookie and then the restrictions of the cookie spec apply. This means you can only use host-based cookies (which security mandates) if your app and the IdP are deployed behind the same 'FQDN' (e.g. by using an HTTP reverse-proxy)

Another issue: How does your app know when the show the 'login screen' if the user actually has a valid session with the IdP because SSO was started at a different SP?

SAML way: You would first have to do a 'passive AuthnRequest' to check this.

Conclusion: Your use case can be achieved, but the effort seems quite high. I'm not aware that there is some lib/framework, which would offers this at the moment OOTB.