Implementing SSO using SAML

Question

This may be a wide question but if you can provide any heads up, I'd appreciate.

I need to implement Single Sign on between two web apps(AppX,AppY) on different domains. I am supposed to use SAML so I expect there need to be some IdP set up and my apps would be service providers to it.

Scenario:

If user logins to AppX then he/she can go to AppY without logging in anywhere. And vice-versa.

Tool I'd use: Shibboleth IdP

Things I need to know:

Where would IdP be set up and how to set up?

P.S. I am not a network guy so Any links to know how whole SAML works for SSO would be a great help. Thanks in advance.

Update:

One more question, my apps knows whether a user is valid or not as they have access to db but how can IdP autheticate the users? I suppose that IdP is going to connect to my app via back-channel or my db has to be served as users directory for Idp. On what does idp authentication based on?

score 3 · Answer 1 · answered Aug 21 '15 at 01:59

3

So I'm assuming the web apps are Java?

If so , they both need a SAML stack - refer SAML connectivity tool.

SAML Spring Security is widely used.

Then you connect both of these as Service Providers to shibboleth.

Then user connects to AppX, has to authenticate with shibboleth, shibboleth cookies created, application cookies created, SAML token sent to user.

User connects to AppY, has to authenticate with shibboleth, shibboleth sees that cookies are already there, authenticates under the hood, application cookies created, SAML token sent to user.

IDP needs to be accessible to Internet if external access is required so DMZ?

Install documentation here.

answered Aug 21 '15 at 01:59

rbrayb

46,440
34
114
174

"has to authenticate with shibboleth" How does shibboleth know about users which only my apps knows about. Please explain this a bit too. – Sachin Verma Aug 21 '15 at 04:42
It doesn't. shibboleth can only authenticate against its repository e.g. AD / OpenLDAP. It you have users in a local repository, you either need to migrate them or add another instance of shibboleth and federate them. – rbrayb Aug 21 '15 at 22:16
So, the users get synced with AD/OpenLDAP from my database everytime? That does not look like a good solution. P.S.: I dont know how AD/LDAP works. – Sachin Verma Aug 23 '15 at 13:51
You need to provide some more context. What do you mean by "users which only my apps knows about."? What repository are they in? What repository do you want shibboleth to use? – rbrayb Aug 24 '15 at 18:56
I am reading your answer @rbrayb since I am researching how to link an account in an internal identity management system with an identity provider using shibboleth in a java web app. What can I use to do that? – Ana Sustic Aug 11 '21 at 06:35
1

Assuming you are using SAML, use the NameID. This is contained in the SAML token and essentially acts as a primary key to link two Identity stores - https://authory.com/RoryBraybrook/ADFS-Using-the-SAML-NameID-to-map-IdP--SP-claims – rbrayb Aug 11 '21 at 06:51
Thanks @rbrayb Is there a library or SDK that supports SAML and shibboleth in Java world? The use case I foresee is that the user first logs on locally to the internal identity management system. The web app checks if the link to the identity provider already exists. If not the user has to authenticate to the IdP and after that the link is established between the two. – Ana Sustic Aug 11 '21 at 07:38
1

https://medium.com/the-new-control-plane/i-need-a-saml-stack-now-63d9691e2d43 – rbrayb Aug 11 '21 at 08:28
1

For Java, Spring Security is common. – rbrayb Aug 11 '21 at 08:28
Thanks @rbrayb Do you know of any resourse that describes the flow behind the linking part? – Ana Sustic Aug 12 '21 at 08:56
1

The app would have two login buttons (i.e. federation) one for local; one for IDP. The NameID attribute in the SAML token links the two. So if the NameID is email, then the same email has to exist in both systems. When the user logs into the IDP, the email is passed and your app. has to search for that email locally. That links the two identities. – rbrayb Aug 12 '21 at 21:56

score 2 · Answer 2 · answered Aug 21 '15 at 02:13

2

You can find a video talking about SAML here: https://www.youtube.com/watch?v=S9BpeOmuEz4

There're two important roles in SAML: Service Provider(SP) and Identity Provider(Idp)

By your case, appX and appY are both SPs, shibboleth acts as IdP.

Shibboleth is a Web application too, so all you need is to deploy shibboleth in one server, and make it accessable for endusers just as appX and appY do.

PS: appX and appY does not need to access shibboleth server directly, the client (end-user's browser) will act as a bridge to connect them.

The installation guide of shibboleth Idp is: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPInstall

answered Aug 21 '15 at 02:13

Liu Xingnan

51
6

Is there something needed in IdP to register some SP or vice-versa? I think some metadata and above link does not explain iy. – Sachin Verma Aug 21 '15 at 02:19
Yes, the SP's metadata should be configured in {idp.home}/conf/metadata-providers.xml, after installing shibboleth, you can test it using this website: https://www.testshib.org/index.html – Liu Xingnan Aug 21 '15 at 02:53

Implementing SSO using SAML

2 Answers2