Login box (embedded in external portals outside IdP)

Paweł Pogoda paw.pogoda at gmail.com
Wed May 7 03:50:56 EDT 2014


Ok, starting from the beginning.
There will be 4 sites (lets name it: client1, client2, portal1, portal2 -
of course all separate domain), all of them should use sigle SSO to access
private pages.
My team is responsible for creating sites: portal1, portal2 and also
configure and maintain IdP - separate domain. (Authentication will be based
on data stored in our DB)
Client sites: client1, client2 already exists and contains 2 places to
provide login/password:
1. login box on each public page in top navigation
2. separate login page - displayed for example if user provide invalid
user/password in top nav login box and submit it.

Client requirement is that login forms should be part of client1/2 sites
not IdP domain (only should communicate with IdP to handle authentication).

Two use cases which should be properly handled:
- user access some client1 public page
- user provide his credentials in login box (top navigation)
- user is authenticated using our IdP and redirected to portal1 private
home page
- user enter in browser url to some private portal1 page (*)
- user is redirected to client1 separate login page
- user provide his credentials
- user is authenticated using our IdP and redirected to page requested at
first step (*)

Right now I probably find some technical solution, but I don't like it. It
seems to be strange/complicated and I want to know if there is some
standard way to handle it - host SSO login page on different than IdP
domain only to provide user credentials and send this data to IdP
authentication engine (to store session cookie)

My current solution:
On sample domain (different than IdP) I prepare simple HTML page:

<script type="text/javascript">
var iframeLoaded = false;
function iframeLoadComplete() {
iframeLoaded = true;
function onSubmit() {
if (!iframeLoaded) {
document.getElementById('iframeContainer').innerHTML = '<iframe
style="display: none" src="https://www.localhost.com:8443/group/iag"
onload="iframeLoadComplete()" />';
return false;
} else {
return true;
<div id="iframeContainer"></div>
<form id="ssoForm" action="
https://www.localhostsso.com:8443/idp/j_security_check" method="POST"
onsubmit="return onSubmit();">
<input name="j_username" value="user"/>
<input name="j_password" value="password"/>
<input type="submit">

Basically what I do here is before posting user/password data to IdP
servlet I create iframe with URL to www.localhost.com (portal1) private
page which I want to access (this create login context in IdP). After
iframe is loaded I submit user/password.

Best Regards

2014-05-06 18:19 GMT+02:00 Ian Rifkin <irifkin at brandeis.edu>:

> Hi,
> There will be still single point of authentication - single IdP, but what
>> I want to achieve is to embed login box to different than IdP server (in
>> fact protected web sites).
> In hopes of being helpful, can we take a step back? What is the problem
> you are trying to solve? I don't mean what you're trying to do technically.
> I am curious about the business case / use case. If you can explain that
> perhaps someone can point you in the right direction.
> Thanks,
> Ian
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140507/f6f50d5d/attachment.html 

More information about the users mailing list