Implementing SSO and Spring Security for SAAS

Question

Here is what we want at high level.

My Requirements,

1. Clients should be able to access my application using their existing username/password.

2. My clients should be able to provide me their user-roles, and based upon that I will manage the resource authorization in the server.

3. Client will share the database. (Multitenancy).

The OAuth 2.0 examples I went across are, utilizing Authentication Servers such as Facebook/Google, where in users can login thru their google or facebook account. I wan't my clients to be able to login with their own accounts.

As far as CAS Authentication server is concerned it directs the user to its own login page.

I am looking for a standard way, where in I can use spring security and allow my clients to single sign on user their own credentials. Any references will be of great help. Thank you.

Answer 1

As already mentioned CAS is a web SSO, so you need to pass through it's own authentication page in order to get the SSO working. There are many ways to get CAS working with your authentication persistent system (in my projects I usually use JPA as my customers have many old applications based only on relational db persistence). In your project I suppose you can setup CAS to use your application authentication method, while your application can point directly to CAS for authentication itself. What I mean is that your application as well should use CAS for single sign on, so the users can enter their credentials just once. Finally you can customize CAS theme in order to get login and error pages with the same layout as your application (you can even load CAS login page in an iframe and then reload your application page on success if you want to integrate it inside your webapp).

If I understood what you wrote you want it to behave this way:

1. you login in your application
2. your application tells CAS you logged in
3. you access another application
4. the other application asks CAS if the user is logged in and CAS answers yes

But the "easy" explanation of the workflow is:

1. you try to access a secured part of any application secured with CAS (your or another)
2. the application asks CAS if the user is logged
3. CAS answers no, so the user is redirected to CAS login
4. the user authenticates with CAS
5. CAS redirects the user to the calling application
6. the application asks CAS if the user is logged in and CAS answers yes
7. the user can access secured parts of the application
8. the user try to access another application
9. the "another" application asks CAS if the user is logged in and CAS answers yes
10. the user can access secured parts of the "another" application

Answer 2

CAS is a web SSO so you will be able to share the user identity accross multiple web applications and Spring Security is a good CAS client. You can also enable the CAS server to delegate authentication to Facebook or Google. The idea is to have your CAS server authenticate your users and get their profile and then push them to the web applications.

Answer 3

I thought CAS provided a REST API.

If that could be used for login then the various apps could present their own login interface and send the username / password to CAS.