Sorry if the title is a bit unclear - I'm not quite sure how to phrase what I'm looking for.
Essentially, the situation I am in is:
- I have several (3+) web applications.
- Each application is on a separate server.
- Users cannot access each application individually - they all sit at Apache, acting as a reverse proxy server
- Apache is on another server
- Applications cannot directly access reverse proxies or each other
- Web applications run in Java, run in Tomcat or Glassfish, or something similar.
- I want to enable SSO in all applications
- If there is an IdP (e.g. OpenAM, Shibboleth), I will not be able to access it directly from any web application.
*
These are all immutable requirements, as far as I know, I must make SSO work without violating any of the above restrictions.
With all this in mind, I donβt think I can implement the typical SSO setup, since it will require SP -> IdP -> SP from me, but I canβt complete the step SP -> IdP - I will only perform the IdP -> SP step.
Now there are solutions. I have seen mod_mellon , mod_auth_saml and mod_shib that support SAML in Apache, and I know that at least mod_mellon will go through the SAML check results in the headers of the HTTP request. So this basically solves my problem, but for a few things I can in a minute.
What I ultimately liked is similar to this, except that Apache has authenticated and sent the results of this authentication through web applications.
So the stream will be something like this:
Request -> Not Authenticated -> Redirect to Login Page -> Authenticate (eg via LDAP) -> Add results to headers -> Redirect to requested page , all without leaving Apache.
This is exactly the same stream as the regular SSO provider, except that Apache essentially acts as an IdP and reverse proxy, and tells SP that authentication was successful by including the results in the headers. It might be easier with a separate IdP, but I would like to avoid overhead if possible.
Finally, whether I go with Apache plus IdP or Apache as IdP, I would need to ensure to be added to the headers, for example. by signing them.
Turn for a second though - if I want to sign these things, maybe I should just turn on the SAML token, as the SAML (and library) standard will take care of this ...
The last question, then: Is it possible for Apache to act as an SP, make an IdP call, and then redirect the SAML token to the application behind the reverse proxy? Further reading, it looks like it could be ECP , or "Advanced Client Profile or Proxy." It is not intended for this use case (it is actually intended for, for example, a WAP proxy), but it can allow me to do what I want. Does the SAML standard provide anything other than SP to initiate a login request? It makes and is called the IdP-Initiated SSO . I believe that the first part of this question is still relevant.
I would really appreciate any suggestions or comments that anyone has (even "WTF are you trying to do ?!").
* I should note that, although in this situation we control all parts of the puzzle, there may be situations when we are obliged to allow customers to log into our application through our single sign-on infrastructure for security reasons, but where we do not have network access for their IdP. However, their IdP will have network access for our reverse proxy. I believe this has been an urgent requirement for a recent potential customer.