At our university, we are planning to host a range of separate small web-applications implemented in Spring Boot, hosted in a Tomcat web-container. Our university has a Shibboleth IdP that we would like to use to authenticate users.
What I understand up to this point, is that we need to host our own Service Provider, and that this can be done by integrating it into each separate application using Spring Security SAML, or by installing a Shiboleth Service Provider on the Tomcat server, and somehow map it to the applications using this method.
This SE question, and the answer by Vladimir, already clarified a lot, but I'd like to make sure I invest my time in the most appropriate way of setting this up for our specific use-case.
- Multiple small applications
- All applications use the same IdP, so the same authentication, but the authorizations (who can access what) might be different.
- We don't require customization to the login procedure. I would like to have the default look and feel the university uses on all its other applications.
- Preferably, I would like to keep the "who can access what" rules, outside of the applications.
Do I understand correctly that using Spring Security SAML, would become redundant, since I need to include it into each application, and configure it for each application? While using the Tomcat approach, I would only need to set this up once, and then just set up the mapping to the applications correctly?
