Security Patterns: Single Sign On across Web Applications and Web Services
Join the DZone community and get the full member experience.
Join For FreeThe requirement is to have single sign-on across different web
applications; once the user is authenticated he should be able to
access all the web applications with no further authentication (by himself). Also, the web applications need to access a set of back-end
services with the logged-in user's access rights and the back-end
services will authorize the user (end user) based on different claims,
like role.
1. User hits the link to the WebApp.
2. WebApp finds out user is not authenticated and redirects to the SAML2 IdP.
3. SAML2 Idp checks whether the user has an authenticated session - if
not will prompt for credentials, once authenticated there ,user will be
redirected back to WebApp with a SAML token, with the set of claims
requested by the WebApp.
4. Now, the WebApp needs to access a back-end web service with the
logged in user's access rights. WebApp passes the SAML token to the PEP
based on WS-Trust and authenticates it self [WebApp] to the PEP via
trusted-sub-system pattern.
5. PEP will call XACML PDP to authorize the user, based on the claims provided in the SAML token.
6. XACML PDP returns back the decision to the PEP.
7. If it's a 'Permit' - PEP will let the user access the back-end web service.
Web Service
application
security
Published at DZone with permission of Prabath Siriwardena, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Trending
-
Security Challenges for Microservice Applications in Multi-Cloud Environments
-
Five Java Books Beginners and Professionals Should Read
-
Cypress Tutorial: A Comprehensive Guide With Examples and Best Practices
-
Top 10 Pillars of Zero Trust Networks
Comments