Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Jetty SSO SAML
  • From: "Cantor, Scott" <cantor.2@xxxxxxx>
  • Date: Thu, 14 Oct 2021 14:12:49 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=osu.edu; dmarc=pass action=none header.from=osu.edu; dkim=pass header.d=osu.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GvM3KgNlr884AgQIK4XLQsvY/2AEk3YoySRmPEqr9F4=; b=h/tg14fSqS+0OCCIzEvIhKLhGOcS1E3Ii9408hFdN9MP1L/5ZcCY6w6XB0hdgKg56zj1A3cBWwBdtfvX3gk600OyiXyachSpy92Js2VHQBmqX09SNwXkwnNeLYouSv2oHa5sqqoh4lsz2Gj4QFgmRPiws8Ua7xhoAyTefRXYzohis+3puOokqcsgq9Hmka/JmgzpA2SYkRiI9zw3ezzWCU16walCbBooJ+bbb+EN2fLJQQm/gjxlmYn5NpOC8P5HbDPeQHnYtMYOvKhki6V3aTdWn8Wf/bPYC8OEKje/wtzdEGY+41VcIwj8/SPx+ULRWHPuXQQ1uYoKuGYEe1XnSg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lx0uqOyM3Tk+qgNKbEYHYUo9XN81XhEdNxmhjPHVPmb98as/lrLP8FpmFZFpqGAdP6jF3dVkkXf1JF1HdbeeRf0i4WWruTPgCcoBtxan5Eg4f1TqBnFiznYluDZgaV+z+Pue9PW59Cm0U5+UpQ1RnHICRZ0eANUYFgXNhmGz+VYMtJl+sS4ICb74DUYJwuCQ5maFtUOdBdvj2jhEvRXu/2VtqweID5dMMV9U9f02gkzwF7S48vSUPjoYeOBEodYUQo6aprFayKzxvwK2IBzCoMDk0qLRLVRxT+zCbzk3QC2/TtOGnh3Ge6qusT5S4cnkdTLmAxHlUnHKqyhXLT/Bfw==
  • Delivered-to: jetty-users@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
  • List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AQHXwH3Gx5VAhlyHEEa1qvVoOP8r46vSKSyAgABeIgD//7/LgA==
  • Thread-topic: [jetty-users] Jetty SSO SAML
  • User-agent: Microsoft-MacOutlook/16.54.21101001
On 10/14/21, 10:03 AM, "Padraic Renaghan via jetty-users" <jetty-users@xxxxxxxxxxx> wrote:

>    So is the normal setup with Apache using an add-on for SAML SSO, any 
>    recommendations on which are best?

I don't really pretend to claim "normal", I'm just opinionated, and inherently biased because I wrote a good chunk of the SAML 2.0 standard and I have led the Shibboleth Project for a long time. I'm deeply biased against OpenID Connect so I'm not going to go there.

I'm simply saying that there's a ton of bad SAML code around, and that there are things that good code does (like support metadata and handle key changes properly) that are hard to find. That stuff is what makes implementations like Shibboleth "complex" but I don't apologize for that. "Screw key changes and trust" is "simple" but also deeply irresponsible.

Using Apache has the benefit that it insulates things and allows flexibility so you can swap things in and out.

>    And on the Jetty side would it be looking for a special HTTP header that 
>    the Apache side adds with the auth info. Or a cookie. Presumably 
>    encrypted?

You should be using the CGI interface to access data about the user, and that applies to any solution. Anything that embeds code in the app is doomed because you will be running it forever, apps are very hard to change politically even if not technically. Insulation from identity is the goal, it should be left to the container and web server (which is where you came in, asking about Jetty handling it for you).

Shibboleth for example is designed to be replaced. It is not trying to trap you into running it forever. Nobody selling a library-based solution is able to claim that.

-- Scott

Back to the top