13

We have two separate products, both including web app and server.

We want to implement Single Sign On for both of them, so when a user has logged into one product, he can automatically access resources in the other product belonging to him.

I have explored a little bit and find SAML is a good approach that we can take, but we are not sure how we want to proceed.

Is it a good idea to implement our own Service Provider? I have looked at Shib SP, but looks like if I want to integrate it into my products, it won't be that easy too.

So I am just looking for some suggestions from people who have encountered a similar problem before.

Another question is what resource that I can study if I need to implement a SP using OpenSaml? Looks like there is not a lot of tutorials or examples that I can refer to.

I would also be really appreciated if anybody can just point out some big procedures or components that my own SP need to contain.

EDIT 1:

Just try to provide more details about what I want. We have two separate products. Currently we are able to externalize user database. For example, our products can be configed to connect to LDAP server or any other external user DB as long as they implement a service properly.

Now our goal is we want SSO for both of our products. One scenario is we have our own SP component(either implement or integrate) in both products. Customer may have their own IdP. With some configuration, our SP can connect to their IdP, and do authentication from there, and user doesn't need to login twice to access both products. Of cause, we can provide an out of the box IdP if customer doesn't have it.

performanceuser
  • 2,793
  • 5
  • 34
  • 44
  • [How to build and run Shibboleth SAML IdP and SP using Docker container](https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP) at GitHub repository provides the instruction on building your own IDP for SAML in Java using Shibboleth SAML IdP and OpenLDAP. – winstonhong May 29 '20 at 15:45

3 Answers3

13

The biggest difficulty with Shibboleth is that it is, effectively, a reference implementation of the SAML v2.0 specification.

For most routine installations, though, you actually need very little of the SAML spec to enable a couple of web apps for SSO.

But since Shibboleth implements the whole thing, with all of its capability, it can be a bear to configure.

We did a project with Shibboleth (and it was admittedly an on the edge use case), and, for me, a SAML novice at the time, it was really a chore to get everything up and working.

For our next stab, I looked at the SAML spec for SSO via the Web Profile. If you read it, it's actually quite straightforward for this limited use case. And we decided that instead of using Shibboleth again, we'd write our own IdP and SP using the OpenSAML libraries.

Could we have got Shibboleth working faster? Probably. But I don't think we'd have the understanding of it that we do of our own. A bit of Not-Invented-Here, sure, but this stuff is confusing enough when you do understand the software and vocabulary, much less when you don't. And SAML is chock full of new vocabulary.

You can also consider using SimpleSAML as an IdP and writing your own SP for your web apps. SimpleSAML is in PHP, but it's a bit more user friendly. You can just treat it as a self contained apache service.

I will say that our SP weighs in at around 1000 lines of javadoc'd code, but it's mostly wiring OpenSAML stuff together and some utility stuff. In truth it's not that scary. Be prepared to really enjoy reading signed XML blobs though.

It is frustrating that this really isn't simpler, but it's a bit of a chicken/egg thing regarding adoption etc.

And if none of that suits you, you can look at OAuth2 and some of its profiles.

Will Hartung
  • 115,893
  • 19
  • 128
  • 203
  • I have exactly the same feeling as you when I try to set up a demo using Shib SP and IdP. It is too powerful and flexible. I have spent so much time on reading their wiki and google other related resources. There are many new vocabularies that we need to understand. Thanks a lot for your post. It makes me more brave to try implementing our own SP. Can you share with me some resources or examples that you referred to while writing your own SP code? I don't see a lot on the Internet. – performanceuser Jul 10 '12 at 23:09
  • I googled around and came across http://code.google.com/p/websso/ . I did not use this myself, but as a first cut it looks pretty good. It has both SP and IdP sides of the equation. The svn checkout is...large. I also found http://www.capcourse.com/Library/OpenSAML/index.html , but his code has no (obvious) license, so I didn't look at it too closely. But it has generic SAML examples that you might be able to look at if you get stuck. – Will Hartung Jul 11 '12 at 03:59
  • Thanks a lot. I will take a look at these examples. – performanceuser Jul 11 '12 at 07:38
3

If you only want to implement SSO between 2 products, I think yes, building something from the scratch is easier. If it's Java, Shibboleth's OpenSaml is a very good lib.

As you begin to implement more stuff, and some complex scenarios, going for something already built is the best choice. You should also be aware of several stuff you'll be likely to write on a per-system basis (e. g. assertion generation, xml-dsig, validation, etc).

At a glance, it might seem like the already built products are way too complex or difficult to scale or adapt to your particular needs. But your dev effort writing connectors and implementations can be rewarded when you feel like exploding all of the SAML capabilities.

It'd be very helpful though, if you can explain with more detail what do you want to achieve; I feel your question is quite open...

Vicente Plata
  • 3,370
  • 1
  • 19
  • 26
  • Thanks. I have updated my original post. I agree the question is kind of open. I have tried to provide as much details as I can. – performanceuser Jul 10 '12 at 22:56
  • @performanceuser given your update, and if it doesn't go beyond that, I'd recommend writing a simple SAML assertion consuming endpoint that does all the logic, and asking your customer to post there in order to enable login on your side. You still gotta take care of some stuff (i. e. logout, security) but I think the time for writing it and knowing the constraint is less than the one you'd need in order to understand the full Shibo's product. – Vicente Plata Jul 10 '12 at 23:36
  • Thanks. I will try to implement one. Can you share with me some resources or examples about implementing SP using openSAML? I don't see a lot on the Internet. – performanceuser Jul 11 '12 at 00:37
  • Neither do I. I have this extremely simple approach, it has nothing complex and lacks a lot of stuff, but it could help you getting an idea on how to build and process a Response: https://github.com/xnt/jsamlutil – Vicente Plata Jul 11 '12 at 01:03
  • Really appreciated. You rock! – performanceuser Jul 11 '12 at 01:11
  • 1
    I found the Shibboleth SP to be fairly easy to set up. Using the OpenSAML library to write my own seemed like a much bigger pain in the rear. Because I was new to SAML, it was nice that I didn't have to guess about how to implement everything---Shibboleth mostly led me down the right paths. It's easy to disable everything but Web SSO if that's the only part you want. Integrating everything with my web app meant adding a request handler that would read the request variables that Shibboleth put there for my SSO login page. – jbindel Jul 14 '12 at 03:09
0

I don't have personal experience with Shibboleth Service Provider, but I am currently developing architecture which uses Shibboleth IdP, Shibboleth Discovery Service and Guanxi Service Provider. Integrating lightweight Guard module from Guanxi Service Provider with Java webapp is a piece of cake and you can easily obtain Shibboleth based architecture without writing your own modules. There is localhost tutorial for setting up Guanxi SP, just skip the parts about Guanxi WAYF and IdP and use Shibboleth components in their place.

Erwin
  • 522
  • 4
  • 20
  • Thanks for your information. This is the first time that I heard of Guanxi. Do you know if it is free? – performanceuser Jul 12 '12 at 16:42
  • [1]: https://github.com/guanxi/guanxi-sp-engine/blob/master/README [2]: https://github.com/guanxi/guanxi-sp-guard/blob/master/README – Erwin Jul 16 '12 at 11:20