Search This Blog

Monday, 17 March 2014

My own primitive Single Sign On

I have often worked on web applications which used SSO. In fact my blogger profile also works through an SSO flow. If I am logged in into Gmail than all fine, else I need to login into Gmail or more specifically my Google account.
One way to have an SSO flow is :
  1. A user attempts to access a resource.
  2. The resource provider checks if the user is authenticated. 
  3. If not he is redirected to an Identity Provider whose job it is to authenticate the user. The Provider may also do the authorization checks or he may let the resource provider handle the same.
  4. Once the above process completes - or the identity provider communicates user details to the resource provider, the resource provider than takes action on the user request.
The important thing here is the communication mechanism used between the identity provider and the resource provider. In one project my team achieved the SSO using SAML over HTTPS.
To be entirely honest I have no knowledge of SAML or how it works. But I still wanted to get SSO done. I decided to build my own web platform to provide SSO to associated web apps that acted as resource providers.
Since I am trying to keep things simple, I am gonna stay from terms like federation server,  active directory etc, SAML. In my development, the only thing that exists are Servlets and JSP.
I decided to do some designing and this is a rough diagram of my whole platform:
Here we have a web app called the AuthPlatform that is responsible for performing authentication of all users trying to use the resources exposed by PlatformAppX where X is A,B,.....N (Sounds like a algebra eqn, but no, I'm not going anywhere near Maths here).
So how does the solution work?
When the user tries to get at a resource exposed by a PlatformApp (say PlatformAppA).
  1. PlatformAppA checks if a user session exists.
  2. If not, than PlatformAppA will ask the AuthPlatform to authenticate the user.
  3. Once AuthPlatform completes authentication, it will redirect user to PlatformAppA.
When authenticated user attempts to use another resource(say PlatformAppB)
  1. PlatformAppB checks with AuthPlatform to verify if user is autenticated.
  2. Once it verifies the authentication, PlatformAppB allows the application to proceed.
When user decides to logout from the application
  1. The application informs the AuthPlatform about user's decision to terminate the session. He is also logged out from the AuthPlatform. (This is similar to logging out from Gmail.)
  2. The user is logged out from the Platform App. If he tries to perform any operations in any other PlatformAPP he should see a "session does not exist, Please sign in" message.
Accordingly I created the projects in Eclipse:
In the next post I shall take a look at how this really works (it does work)


  1. Single Sign on Solutions is the ideal way to safeguard a list of passwords using single software.

  2. Guess i had the theory on SSO in my B.E. syllabus. This practical oriented explanation was way more interesting and informative.