An Apache-free SP

Peter Schober peter.schober at univie.ac.at
Wed Mar 15 15:12:40 EDT 2017


* Wessel, Keith <kwessel at illinois.edu> [2017-03-15 19:29]:
> At the risk of being off-topic, I'm wondering if anyone can provide
> me with any solid pros/cons on things like Onelogin's Python-SAML
> and Java-SAML implementations as well as other options to run an SP
> without Apache and mod_shib.

For what kinds of applications/frameworks/stacks/APIs? Do Python and
Java cover everything for you?
While I've not worked with it myself I'm sure Roland's pysaml2 is a
capable SAML implementation. (As is SimpleSAMLphp, though you don't
mention PHP.)

Still I'd rather use the Shib SP if it's in any way possible
(including for Python and PHP applicatons), mostly to the SP's
flexibility and power, as that means I can support best practices
across the board, without needing changes to applications or
middleware. From handling attributes and nameids, to error handling,
session estalishment (and possibly termination) incl. IDP discovery,
etc.pp.
The possibility to do all that to provide a proper user experience
(and application behaviour) without having to change application code
is simply amazing. ("Totally f*cking awesome" for US Americans?)

With many SAML SP implementations (even ones you can beat into
submisstion to work with your IDP -- ideally without throwing security
out the window at the same time) it often stops at "more than one IDP"
or "don't use email address as primary key".

So those application's requirements must be very, very simple
(basically not being exposed to more than a handful of users) before
I'd consider alternative SAML implementations instead.

Dockerization of parts of your infrastructure is not reason enough to
give up on proper UX and application (integration) behaviour.
-peter


More information about the users mailing list