Spike: Move to NGINX/Apache for SAML2 SP?

Description

Overview

Investigate using an out-of-the-box SAML2 Service Provider (SP) implementation. Both NGINX and Apache have modules/plugins for this type of thing.

For example: https://github.com/latchset/mod_auth_mellon

I think the idea is to keep create a module that has a module descriptor, is registered with OKAPI, etc. only instead of being based off Vertx and a java base docker image, it's based off an nginx or httpd image.

Questions to be answered

How doable is this? POC?
What about multi-tenancy?
What would be required from the frontend? Would it be possible to make this compatible with the existing mod-login-saml API?

Other Considerations

Maybe a hybrid approach would make sense, where some endpoints, e.g. for configuration, etc. which might require some business logic can be handled with a java application (based on vertx/RMB) that's running in the same container. I think we might need to do something like this if we want to avoid breaking changes to the API.

Environment

None

Potential Workaround

None

Linked issues

relates to

UXPROD-778

Authentication and Authorization Beyond Basic and SAML (LDAP, OAUTH, Grouper)

Checklist

hide

TestRail: Results

Activity

Show:

Julian Ladisch July 3, 2020 at 4:39 PM

See also the issues listed on and the discussion on https://discuss.folio.org/t/saml-sso-features-and-strategy/2891

Details

Assignee

Craig McNally

Reporter

Craig McNally

Priority

TBD

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created June 19, 2020 at 5:20 PM

Updated July 3, 2020 at 4:39 PM

Configure

TestRail: Cases

TestRail: Runs