[mitreid-connect] MITREid Connect Help

Justin Richer jricher at mit.edu
Tue Sep 15 15:28:41 EDT 2015


Hi Dan,

From your description, I would definitely recommend going with a separate ID server an using identity federation to connect your applications. This gives you not only more robustness in your architecture, which you’ve already pointed out, but also flexibility in on boarding new applications that aren’t necessarily built using Spring or even Java. 

As the maintainer of the project, I’m certainly biased in saying that our implementation is a good one that will fit your needs. ;) It’s open source (apache license) and built on top of Spring so you’re already familiar with what it’s running. Our client code is a Spring Security filter, so it should be nearly a drop-in replacement for your existing applications as well. The server's built as an add-on to an existing identity infrastructure, unlike ForgeRock which is happier when it can *be* the identity infrastructure. Really, different targets, and it sounds like the add-on approach is more like what you’re after.

The OpenID-Connect-Java-Spring-Server project is the main project, and that’s where the core server lives. The ldap-openid-connect-server project uses a Maven Overlay to add in some extension dependencies and code that you can use to deploy against an LDAP repository. It’s meant as an example customized project, and since so many people were wanting to tie this into an LDAP server we packaged it up so people could see how to do it. In your case you might want to start with the ldap project, which pulls in the upstream project. (Though, caveat, I don’t think it’s been updated to pull in the new 1.2 release quite yet.)

The code itself is free, and there is commercial support for customization, installation, and all of that through companies including my own https://bspk.io/ <https://bspk.io/> so feel free to reach out through there if that interests you. If you do go with us, you’d pay for our time to help you, not a license for the software.

Hope this clears things up, and best of luck in your project.
 — Justin

> On Sep 15, 2015, at 12:06 PM, Dan Hayes <dhayes at chariotsolutions.com> wrote:
> 
> Greetings,
> 
> My name is Dan Hayes and I am a software
> developer/architect/consultant working for Comcast in Philadelphia.  I
> am personally responsible for leading a team whose responsibility it
> is to build internal applications for users managing the content and
> administration of the video on demand and streaming infrastructure.
> 
> A couple of years ago we started building apps based upon a framework
> I put together using AngularJS + Java/Spring/Spring Security.  Those
> apps are deployed to a few mirrored Tomcat servers.  The reason we
> went this route is because it was the easiest path to SSO (using the
> SSO valve in Tomcat).  Each application uses Spring Security
> configured via a common security library to use the Pre-Auth
> (JeeConfigurer).  Tomcat is then configured to use LDAP to
> authenticate users against our corporate ldap server.  Everything
> works beautifully and users can seamless move from one context to
> another without having to log in again.
> 
> Our success has led to more and more requests for apps and we are now
> facing a crossroad.  Do we continue to add more and more apps to a
> single container, increasing the risk of a rogue app bringing down the
> server or creating memory issues?  Or do we decouple the
> authentication, off loading to a separate ID server using a protocol
> such as OpenID?  The advantages are obvious.  We would be able to
> manage the lifecycle of the JVM for each app individually and
> distribute the deployment as necessary. The primary disadvantage I see
> is increased complexity, specifically standing up another server and
> re-configuring Spring Security in the common security library to
> connect using OpenID accordingly.
> 
> I stumbled into your project and wondered if it would be a good fit,
> potentially reducing the complexity (we are pretty good with Spring
> Security but hardly security experts).  In your opinion, do you think
> your project would be a good fit for our needs?  If so, how would you
> see the architecture coming together?  Specifically, I see a number of
> github projects and I am not which ones would be most relevant.  I see
> the OpenID-Connect-Java-Spring-Server project.  But I also see one
> example related to ldap-openid-connect-server.  Which is most relevant
> to our requirements?  Would they BOTH be utilized together?
> 
> We are a big open source shop here and try to resist introducing
> heavyweight/expensive solutions such as ForgeRock, etc.  Not only do
> they want to charge an arm and a leg (as soon as they hear "Comcast")
> but they tend to be much more complex for our taste.
> 
> Thanks, in advance, for your help and thank you for contribution to
> the community.
> 
> Dan
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150915/06a54b91/attachment.html


More information about the mitreid-connect mailing list