Spike: Move to NGINX/Apache for SAML2 SP?
Description
Environment
None
Potential Workaround
None
Checklist
hideTestRail: Results
Activity
Show:

Julian Ladisch July 3, 2020 at 4:39 PM
See also the issues listed on and the discussion on https://discuss.folio.org/t/saml-sso-features-and-strategy/2891
Details
Details
Assignee

Reporter

Priority
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created June 19, 2020 at 5:20 PM
Updated July 3, 2020 at 4:39 PM
TestRail: Cases
TestRail: Runs
Overview
Investigate using an out-of-the-box SAML2 Service Provider (SP) implementation. Both NGINX and Apache have modules/plugins for this type of thing.
For example: https://github.com/latchset/mod_auth_mellon
I think the idea is to keep create a module that has a module descriptor, is registered with OKAPI, etc. only instead of being based off Vertx and a java base docker image, it's based off an nginx or httpd image.
Questions to be answered
How doable is this? POC?
What about multi-tenancy?
What would be required from the frontend? Would it be possible to make this compatible with the existing mod-login-saml API?
Other Considerations
Maybe a hybrid approach would make sense, where some endpoints, e.g. for configuration, etc. which might require some business logic can be handled with a java application (based on vertx/RMB) that's running in the same container. I think we might need to do something like this if we want to avoid breaking changes to the API.