How to deploy IDP/SAML with existing website

By: Aaron Elligsen user 30 Dec 2016 at 7:54 p.m. CST

5 Responses
Aaron Elligsen gravatar
I'm trying to roll out single on with SAML internally with a small number of apps. I have gluu up and running, successfully tested my idp setup with testshib. Now I am trying to understand how to get users logged into the system. I know I can send the users to https://idp.example.com/oxauth/login and it will log them into the system for SAML. However, what I'd really rather do is send an ajax call from our existing homepage with the necessary credentials to some url and then have our site actually let them in as a service provider. I am specifically trying to avoid having to redirect the user away from our current domain to main the current login flow/experience. How should I do this? Edit: Alternatively, can I log the users into the backing LDAP Gluu and will the SAML then authenticate them? Edit: Edit: It is also slowly dawning on me this may be the purpose of OpenIdConnect. Can anyone confirm?
OS Version : N/A
closed

Answers

By Sahil Arora user 30 Dec 2016 at 10:41 p.m. CST

Copy
Sahil Arora gravatar
let me check on it and get back to you.

By Michael Schwartz Account Admin 02 Jan 2017 at 12:48 p.m. CST

Copy
Michael Schwartz gravatar
Exposing the password to the website totally defeats the purpose of centralized authentication. Also, the SSO session is a cookie set by the IDP in the end-user's browser. So if you want to just validate password credentials, use LDAP or the OAuth2 Resource Owner Password Credential Grant. But if you want security and SSO, you'll need to redirect to the IDP.

By Aaron Elligsen user 02 Jan 2017 at 1:17 p.m. CST

Copy
Aaron Elligsen gravatar
The website doesn't really need the password. I'm just trying to retain the flow, users come to example.com to login and can then access example.com as they did before, as well as place2.example.com.

By Aaron Elligsen user 02 Jan 2017 at 1:32 p.m. CST

Copy
Aaron Elligsen gravatar
I see what you're saying about exposing the password to the sp site, (which was the old idp essentially), but I feel like an ajax call could talk to the idp service and set the cookie. Anyway, perhaps a better solution would be this. How do I style the idp login in gluu, such that it is not glaringly obviously not apart of the existing site?

By Michael Schwartz Account Admin 02 Jan 2017 at 2:04 p.m. CST

Copy
Michael Schwartz gravatar
Use an iFrame?

Post an answer