We're needing to add SSO support to one of our applications (well, it's currently one, but will be split in two (or even three) shortly), but I know very little about it...
Since we're using Shiro for another project (which doesn't require SSO), I figured I'd start here. First up, my understanding of roughly what we need for SSO: An IDP (Identity Provider) - this handles authentication (and optionally, provides authorization details). 2+ SPs (Service Providers) - they actually *do stuff* - this would be the web application I currently have. That's technically it, right? Sure, the IDP needs to have a source for the users (e.g. LDAP), but that's not the part I'm having issues with right now. There's probably a whole bunch more complexity elsewhere, but let's just ignore that for now. The IDP and SP communicate somehow, and I'm having a little trouble figuring out how. Some seem to use a "proprietary" method, e.g. CAS, which communicates in a way that no other IDP does. Others use a standard like SAML. Now, am I right in assuming that if I can somehow get up and running with SAML, then I will be able to work with any provider that supports SAML (e.g. Oracle Identity Federation, etc)? I'd assume so, but... Anyway, assuming that SAML is a good choice for communicating between SP and IDP, then is there any support currently in Shiro for this? I've hunted through the documentation and there doesn't seem to be. Spring Security does seem to support it, though the documentation is pretty limited. On a semi-related note, CAS (which is the only solution Shiro supports out of the box) doesn't support federation, does it? By Federation, all I mean here is that it supports a single IDP that's external to me (e.g. one that I don't control, perhaps an existing one controlled by the client). I get the impression that it doesn't, and even if it does, the Shiro client only seems to support a CAS IDP... So yeah. Is there Shiro support for SAML (or, in fact, anything apart from CAS), with regards to SSO? Thanks, - Andrew Thorburn
