CODEWITHSUNDEEP
springsecuritysingle-sign-onsaml
Ed goo
Ed goo

Reputation: 55

Spring saml SSO

I have a portal application developed using spring security and mvc framework. This portal application connects to IDP (Developed using Spring security and spring saml) for authentication. if the user authentication is success,user will be navigated to homepage where multiple links are provided for external applications… When the user clicks on the application link, user should successfully navigated to the respective application without challenging login page.

Other applications are developed using struts and spring security. How do I make sure that when a link is clicked from the portal, either saml token or context is passed to other application so it will not ask for login.

Any help is greatly appreciated.

Upvotes: 1

Views: 297

Answers (1)

Gabor Lengyel
Gabor Lengyel

Reputation: 15560

The most common flow for SAML is something like the following:

  1. Application (called service provider, or SP) receives request (any request, like request for a business resource) from unauthenticated user
  2. It redirects the user (most commonly via http redirect) to the IdP (in which the SP should already be registered)
  3. If the user is not authenticated to the IdP (not logged in to SSO), a login form is presented and login is managed by the IdP until there is a user session with the IdP
  4. If the user is already authenticated with the IdP (because either he was already or entered a correct user/password), the IdP issues its claim token and posts the user with the token back to the Assertion Consumer Service in the SP (the original application)
  5. The Assertion Consumer Service (practically just an API endpoint) receives and validates the SAML token and creates an own application session with the user. Now the user is authenticated to the application (SP)
  6. Upon the next request to the application (SP), there is already a session, so SAML is not involved

Note that if there is already a session with the IdP, all of this is seamless for the user. A bunch of redirects take place, but the user will just reach the application without entering credentials.

So the short answer to your question is that your external applications need to support SAML SSO and need to be registered with the identity provider, in which case they can just use the IdP for authenticating the user and signing the claims it may have.

Upvotes: 2

Related Questions