Shibboleth 3 SP separated from Tomcat java web application in 2 different machines?

Fri Jan 28 18:45:04 UTC 2022

Bang,

There is a security risk here anyone can send subject-id to your app on machineA. That is, how do you guarantee trust between machine A and B?

Could you set up shib SP on machineA?

Ray

On Fri, 2022-01-28 at 19:34 +0100, Bang Pham Huu wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hi Nate,

Thanks again for your speedy respond (especially in Friday evening :)).

 but you could rig up a system where machine B, after receiving the SAML assertion, has a simple shim that processes the attributes, packages them into something like an OAuth token, and then redirects the user back to machine A with enough information to retrieve the temporary token.  Machine A would then create and persist a session for the user.

I could agree with you if I have some influence on machine B (but I

don't unfortunately).

The way I described is like, Shibboleth SP on machine B acts as the man

in the middle and it allows java web application on machine A can get

the attribute returned by Shibboleth IdP.

It seems, It is not straightforwards like I thought.

Have a good weekends :)

On 1/28/22 7:22 PM, Nate Klingenstein wrote:

Bang,

I'm impressed for your quick respond :).

It's one of my many bad habits. :D

I understand what you're trying to accomplish.  The "easiest" way to do this would probably be AJP between machine B and machine A, but you could rig up a system where machine B, after receiving the SAML assertion, has a simple shim that processes the attributes, packages them into something like an OAuth token, and then redirects the user back to machine A with enough information to retrieve the temporary token.  Machine A would then create and persist a session for the user.

I would prefer the proxying approach, personally, but it depends on how much infrastructure you want to build and maintain, or whether you can find a toolkit already written and maintained by someone else that is capable of doing something similar.

Maybe someone else on the list has a more clever idea.

Take care,

Nate

--------

Signet, Inc.

The Art of Access ®

<https://www.signet.id>

https://www.signet.id

-----Original message-----

From: Bang Pham Huu

Sent: Friday, January 28 2022, 11:13 am

To:

<mailto:users at shibboleth.net>

users at shibboleth.net

Subject: Re: Shibboleth 3 SP separated from Tomcat java web application in 2 different machines?

Hi Nate,

I'm impressed for your quick respond :).

I'm new to Shibboleth of course and I just have a naive idea how it

works in a common sense way.

So, I develop a java web application on machine A, another guy works on

Shibboleth SP on machine B (I have no influence on him).

Then, I just wanted to make my web application sends request to

Shibboleth SP on machine B which will use a test Shibboleth IdP

and finally after logging in, somehow Shibboleth SP on machine B

forwards everything to my web application on machine A.

Then, I can get the testing user's email attribute (subject-id) on my

web application.

I hope I'm clear about my plan.

Thanks,

On 1/28/22 7:06 PM, Nate Klingenstein wrote:

Bang,

Thanks for your use of SAMLtest.  We're up to ˜75,000 providers and counting.  I'm glad you've found it useful.

The communication between machine B and machine A is effectively remoting login and session management to a third party rather than performing it in the application, which is both architecturally sound in some instances and requiring of sufficient security and integrity: you basically need an authentication protocol for this.

The workaround you mention, whether via HTTP forwarding or AJP proxying, is the most natural and easiest way I can think of.  Is there a particular reason you want to avoid it?  There are limited alternatives using Shibboleth, but there are options using other approaches depending on how much you want to build and how sensitive your application is.