Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementing Mujina as the IDP for a Dockerized Front-end application as the SP #61

Open
ambekars opened this issue Jul 22, 2020 · 2 comments

Comments

@ambekars
Copy link

ambekars commented Jul 22, 2020

We are currently working on a Dockerized front-end web application setup, which queries two different documentum application (content management) repositories and merges the result-set on the front-end application. We want to enable SSO for this application using Mujina for our dev/testing environment. As we understand, we need have pre-defined roles configured within Mujina and users need to be part of those roles in order to login using SSO. The two back-end applications have seperate roles, users and groups defined and the user should have proper permissions in order to return results in the query from their respective repository. In this scenario, should our two backend applications need to have a common role defined or can SAML 2.0 be configured with two seperate roles with a common cert in the SP and IDP applicable for both the scenarios.
Please advise.

@oharsta
Copy link
Member

oharsta commented Aug 2, 2020

The whole idea of using an SAML IdP is that the users are maintained / identified by the IdP. Normally a SP would provision new users and / or recognise existing users after a successful authentication response is send back by the IdP to the SP. If the two back-end applications have their own users and groups defined independent of the IdP then this is not a scenario where SAML SSO is applicable.

@ambekars
Copy link
Author

ambekars commented Aug 2, 2020

Hi Okke, Thanks for the note. To clarify further on my query, though both backend applications have their own users and groups (but they are the same users essentially), and they both get synched through LDAP. The two back-end applications typically have their own front-ends as well (not applicable for this scenario, wherein we are implementing Mujina too - but that's a typical SP initiated flow (from individual applications authenticating via Mujina IDP). In this case, we have a front end client sitting on top of both the application repositories and providing a search result-set by joining the results from both back-end repositories. The only mandatory requirement we have here is that the user needs to be logged in and authenticated automatically by both the back-end repositories when he logs into this front-end and the result set will only show when he achieves authentication from both the repositories. Partial authentication based on either one of them should not show any search results and should throw an authentication error. Can one IDP be used to have user logged in to this front-end, the user can be a member of both the back-end repositories. Hope this provides a better perspective for my query. Please advise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants