[mitreid-connect] MITREid Connect Help

[Dan Hayes]

Greetings,

My name is Dan Hayes and I am a software
developer/architect/consultant working for Comcast in Philadelphia.  I
am personally responsible for leading a team whose responsibility it
is to build internal applications for users managing the content and
administration of the video on demand and streaming infrastructure.

A couple of years ago we started building apps based upon a framework
I put together using AngularJS + Java/Spring/Spring Security.  Those
apps are deployed to a few mirrored Tomcat servers.  The reason we
went this route is because it was the easiest path to SSO (using the
SSO valve in Tomcat).  Each application uses Spring Security
configured via a common security library to use the Pre-Auth
(JeeConfigurer).  Tomcat is then configured to use LDAP to
authenticate users against our corporate ldap server.  Everything
works beautifully and users can seamless move from one context to
another without having to log in again.

Our success has led to more and more requests for apps and we are now
facing a crossroad.  Do we continue to add more and more apps to a
single container, increasing the risk of a rogue app bringing down the
server or creating memory issues?  Or do we decouple the
authentication, off loading to a separate ID server using a protocol
such as OpenID?  The advantages are obvious.  We would be able to
manage the lifecycle of the JVM for each app individually and
distribute the deployment as necessary. The primary disadvantage I see
is increased complexity, specifically standing up another server and
re-configuring Spring Security in the common security library to
connect using OpenID accordingly.

I stumbled into your project and wondered if it would be a good fit,
potentially reducing the complexity (we are pretty good with Spring
Security but hardly security experts).  In your opinion, do you think
your project would be a good fit for our needs?  If so, how would you
see the architecture coming together?  Specifically, I see a number of
github projects and I am not which ones would be most relevant.  I see
the OpenID-Connect-Java-Spring-Server project.  But I also see one
example related to ldap-openid-connect-server.  Which is most relevant
to our requirements?  Would they BOTH be utilized together?

We are a big open source shop here and try to resist introducing
heavyweight/expensive solutions such as ForgeRock, etc.  Not only do
they want to charge an arm and a leg (as soon as they hear "Comcast")
but they tend to be much more complex for our taste.

Thanks, in advance, for your help and thank you for contribution to
the community.

Dan