SAML 2.0 based single sign-on and logout for web applications deployed in Apache Tomcat-Part One
An introduction to WSO2’s Apache Tomcat extension for SAML 2.0 based single sign-on and logout
This article provides a concise introduction to WSO2’s Apache Tomcat extension, which helps performing SAML 2.0 based single sign-on and logout for web applications deployed in Apache Tomcat.
What are single sign-on and logout?
Single sign-on is a service in which a user is authenticated with one set of login credentials, to access multiple, protected applications for which, the user has required rights. Thus, a user authenticated against one protected application gains access to other protected applications without having to authenticate him/herself repeatedly, until his/her session terminates.
Similar to single sign-on, single logout is a service in which, once a user logs out from one protected application, he/she will be logged out from all protected applications for which he/she was earlier authenticated to access.
The most notable example in which software users experience single sign-on and logout in action is during the usage of Google Apps. Very often, when signed in to one’s Google account (based on one’s Gmail) using his/her credentials and he/she would get the opportunity to make use of the power of a whole host of Google Apps such as, Gmail, Google Docs, Calendar, Drive and etc. Once logged out from one Google App (e.g. from Gmail), one would find him/herself logged out and unable to access the other Google Apps, as well.
In addition to the above advantages, the following advantages are also present:
- Prevents a user from needing to maintain and remember different passwords for different applications he/she wants to access.
- Ease of administration — the maintenance of user security data at one, trusted place, ease of managing the security data (e.g. when data is subjected to change)
- Ease of enforcing the desired standards and policies on the security data held (e.g. password/account policies).
WSO2’s Apache Tomcat extension for SAML 2.0 based single sign-on and logout
Apache Tomcat provides its own single sign-on implementation, which utilizes HTTP cookies to transmit a token that associates each request with the saved user identity.
But the implementation in focus within this article, uses SAML 2.0 for data exchange. Security Assertion Markup Language (SAML) is an XML based open standard that allows the exchange the of user authentication and authorization data across secure web domains.
In the discussed Apache Tomcat extension, SAML 2.0 Web Browser Single Sign-On and Single Logout profiles have been implemented. For a better understanding of SAML 2.0 and its related concepts, refer the following:
- A concise introduction to SAML 2.0 concepts
- WSO2 Identity Server’s documentation on SAML 2.0 Web SSO
- How SAML 2.0 Single Logout works
- SAML 2.0 specification
Also, it has to be noted that this implementation supports only service provider initiated single sign-on. This means that a user will be able to initiate single sign-on only by directly accessing a protected resource (which is a web application, in this case). This article provides a more detailed understanding on the difference between service provider initiated single sign-on and identity provider initiated single sign-on.
The source code of the discussed extension is available from here.
Check out part two of this article for a practical guide on using the discussed SAML 2.0 single sign-on and logout Apache Tomcat extension.
References
- WSO2 Identity Server’s documentation on SAML 2.0 Web SSO
- What is single sign-on (SSO)?
- Single sign-on-Apache Tomcat