Reputation: 18848
SSO Frameworks, which one to use? when we need?
I have been looking about SSO [Single Sign On] solutions around StackOverflow and in Google. The concept is pretty much simple as "Once logged in, logged in everywhere"
Now my question is, as there are many different frameworks, do we really need such frameworks or can we implement simple SSO solution based on fundamental concepts or in which case we can choose what?
Two Cases:
Internet, where we expose our web applications over internet to wide-range of people/customers, where we can have multiple domains, multiple servers.
Intranet, where we expose out web applications over intranet/internet to limited range of people. A better example could be A SSO for Employees within Organization
A case where I am lying myself to find a solution.
I want to implement a SSO for employees of my organization, where they can login to once, they will be automatically logged in all other applications like [mail/chat etc..].
Primarily we use LDAP for User Credentials Management. Being said that, now each application can login by validating user against LDAP and go on.
Or
We can have a single web application which will communicate with LDAP to login and work as SSO with other applications talking to it.
I am making two options here.
Using one of the frameworks [OpenAM/JOSSO or any other if it's good and fit enough for my requirement], which uses my own authentication [my own jar which takes username and password and returns authorized or not]
Using my own web application, which uses my own authentication as I said and holds public/private key-mechanism [OpenPGP], and communicates back and forth with other applications and cookie management.
Which option is far better for my requirement, or an overview in which case we can opt for which framework?
Upvotes: 1
Views: 1758
Answers (1)
Reputation: 48230
Building your own implementation is a bad choice for at least two reasons:
- others can't easily integrate with your sso provider
- you can't be sure that your protocol has no hidden issues
Picking a builtin framework on the other hand is not as important as it sounds. The most important thing is to pick a well established protocol, to name three: OAuth2, SAML2 and WS-Federation.
Picking a protocol between these three leaves you with a decision: either to pick an existing implementation of the protocol or to write a custom one. The first option is of course easier to maintain and safer, create a custom implementation only when you are 100% sure that existing implementations do not fulfill your requirements.
All mentioned sso protocols work by making one particular application in your environment the identity provider. The IdP knows where to find the user backstore and how to validate credentials and other applications trust the identity provider. The difference between protocols is how the trust relation is implemented. In short, the trust in oauth2 consists in a direct calls between the application server and the identity provider server whereas ws-federation and saml consist in passing a digitally signed xml, a token which says who the user is and what roles he/she has.
Upvotes: 2
Related Questions
- Cross-platform SSO - where to start?
- Authentication frameworks used by IT industry players?
- SSO protocols in cloud computing?
- wildfly web app SSO (single sign on) / book recommendation
- Web SSO solution that's easy to implement?
- Prerequisites for implementing Single Sign On in java based web application
- Single Sign On Framework
- Which is a good library/framework to use for single sign on in a java web app with ADFS 2 integration
- SSO webapp: home-made or factory-made solution?
- Log in using Java where server's authentication could be sso or web applcation container's basic