TechQA.

Cross domain sso with OpenAM with SAML 2.0

1.8k views Asked by At

I have a requirement for cross domain sso. So, i chose OpenAM with SAML. I have two applications hosted in different servers and host for which i need to implement SSO. Now i read about OpenAM with SAML but could get the core idea about the setup. LDAP is used as user data store. Now i have something in mind and want to verify if it meets my requirement.

  1. Since i have two applications(AppA and AppB) in need of SSO implementation. I need two OpenAM configured as service provider? and should be deployed in different tomcat containers? Should the each service providers be deployed in AppA and AppB?
  2. I need another separate tomcat container for identity provider OpenAM?
  3. The sp should be registered to idp and idp should be registered to sp within same Circle of trust?

Do i have to do anything else? Again do i have to configure separate LDAP for each idp and sp ? Anyway, what can be the ideal setup in my case?

single-sign-on saml-2.0 openam opensso
Original Q&A
2

There are 2 answers

2
Bernhard Thalmayr On

You need one IdP, your apps have to implement the SP. If your apps are Java based you could leverage OpenAM's Fedlet or use Spring Security SAML extension (works like a charm).

There's also a PHP SAML SP and even an Apache http server SAML module ...

Or you could use OpenIG as a reverse-proxy (but it's a java web app) which also implements a SAML SP.

-Bernhard

0
Apoorve On

One more possible solution in which you can use OpenAM out of the box is by using OpenAM identity federation:

  1. Use the standard OpenAM Identity federation setup (with IDP and SP) as explained in this post: http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html
  2. You will need to have an IDP for AppA and SP for AppB or vice versa. IDP will be connected to your user store.
  3. On SP side create a dummy user store using something like OpenDS.
  4. Import all the users from IDP to SP (using a scheduled daily batch job)
  5. Implement auto federation based on one or more of the user attributes.
  6. Use OpenAM authorization features on SP side to give access to SP side App

Related Questions in SINGLE-SIGN-ON

Related Questions in SAML-2.0

Related Questions in OPENAM

Related Questions in OPENSSO

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions