Develop app for IdP users

[Cantor, Scott]

On 11/3/21, 8:00 PM, "users on behalf of Felipe Cardoso" <users-bounces at shibboleth.net on behalf of felipepassoscardoso at gmail.com> wrote:

>    1 - Create a Java application and deploy it on the same Tomcat where Shibboleth IdP is running.

That's a very bad idea generally. I would never deploy anything else with the IdP in the same container, that's an unecessary security risk. I wouldn't even deploy it on the same host, and definitely not on the same virtual host.

>    Option 2 looks good to me because I don’t need to set up a “Service Provider” that will only be used by my
> IdP and should not be visible to another IdP in the federation.

99.9% of the SPs in the world are non-federated and only served by one IdP. That's not a good basis for deciding not to deploy an SP.

>    I mean, WebInterfaces should not be used to create applications for IdP end users.

If you're building something that needs to use lots of IdP APIs and services and would be based on Spring WebFlow then it's an option but the reality is that the IdP is secure precisely because it is not a web application and does not have to expose a lot of user interface.

I don't believe there is any hope whatsoever in 2021 of building a secure webapp. The web is past the point of that being possible. So all you can do is isolate everything and prevent the inevitable bug from infecting something more important. Co-locating something is pretty much asking for an attack.

-- Scott