Versions Compared

Old Version 2

changes.mady.by.user Sergey Beryozkin

Saved on

compared with

New Version 3

changes.mady.by.user Sergey Beryozkin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
{span:style=font-size:2em;font-weight:bold} JAX-RS: SAML Web SSO{span}


{toc}

h1. Introduction

[SSO|http://en.wikipedia.org/wiki/Single_sign-on] is about a user having to sign in only once when interacting with a custom web application which may offer of a number of individual endpoints. 

CXF 2.6.1 introduces a comprehensive service provider (SP) support for the SAML Web SSO [profile|http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]. This [page|http://en.wikipedia.org/wiki/SAML_2.0] also offers a good overview of the [profile|http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile].

HTTP Redirect(via GET) and POST bindings are supported. The module has been tested against many IDP providers and is easily configurable.

The following components are required to get SSO supported:

- Identity Provider (IDP) supporting SAML SSO
- Request Assertion Consumer Service (RACS)
- ApplicationService Provider Security Filter
- SSO State Provider

The following sections will describe these components in more details

h2. Typical Flow

Typically, the following flow represents the way SAML SSO is enforced:

1. User accesses a custom application for the first time
2. ApplicationService Provider Security Filter checks if the security context is available 
   and redirects the user to IDP with a SAML SSO request
3. IDP challenges the user with the authentication dialog and redirects the user to
   Request Assertion Consumer Service (RACS) after the user has authenticated
4. RACS validates the response from IDP, establishes a security context and redirects the user 
   to the original application endpoint
5. ApplicationService Provider Security Filter enforces that a valid security context is available and lets the user
   access the custom application.

h1. Maven dependencies

{code:xml}
<dependency>
  <groupId>org.apache.cxf</groupId>
  <artifactId>cxf-rt-rs-security-sso-saml</artifactId>
  <version>2.6.1</version>
</dependency>
{code}

h1. Identity Provider
h1. Request Assertion Security Service
Identity Provider (IDP) is the service which accepts the redirect requests from application security filters, authenticates users and redirects them back to Request Assertion Security Service.

CXF does not offer its own IDP SAML Web SSO implementation but might provide it in the future as part of the [Fediz|http://cxf.apache.org/fediz.html] project.

However, CXF has been tested against a number of popular IDP implementations which support SAML SSO and thus should be interoperable with whatever IDP is being used in the specific production environment. The interoperability tests have shown that some IDPs may process SAML request and produce SAML response data the way which may not be exactly specification-compliant and thus CXF Request Assertion Consumer Service (RACS) and Service Provider Security Filter implementations have a number of configuration properties for adjusting the way SAML requests to IDP are prepared and SAML responsed from IDP are processed.

h1. Application Security Filter

h1. Request Assertion Security Service

h1. SSO State Provider