midPoint SSO Integration with SAML2 Identity Providers

midPoint is a comprehensive Identity Governance and Administration (IGA) platform, used by organizations around the world to deal with Identity Provisioning, Identity Governance and Compliance, along with Access Management. As for the identity being a security perimeter, midPoint keeps an organization's internal network and external resources safe.

The most important features of midPoint are:

• Identity Governance
• Security Auditing and Reporting
• Organizational Structure Management
• Credential Management
• Workflow
• Entitlement Management

midPoint provides different types of authentication mechanisms. You can use default authentication (against local midPoint DB) or LDAP (AD) authentication. It can be also configured as a part of your SSO solution, such as CAS. Since midPoint uses the Spring Security framework for matters of authentication, it can be easily integrated with any other SSO framework supported by Spring Security features.

Unicon has developed an extension to enhance the authentication mechanisms of the platform. Tapping into midPoint's authentication engine and Spring Security, Unicon has developed an SSO integration with SAML2-compliant identity providers, such as the Shibboleth identity provider. This extension builds on top of Spring Security where the SAML request and response processing is handled by the pac4j library. pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles, and manage authorizations in order to secure web applications. The extension through pac4j essentially provides midPoint with an embedded Java-based service provider whose activation in midPoint is handled via a profile. Configuration is managed alongside other midPoint settings, recognized by midPoint and Spring Boot.

This extension is built on top of pac4j for good reason. As of this writing today, the Spring Security SAML extension project of Spring Security does not yet support the most recent versions of OpenSAML. If this were true, it is likely that the midPoint SAML extension would have simply utilized the Spring Security SAML library for its SAML processing and management of requests and responses. However, while Spring Security development continues to move forward, pac4j presented itself as an available lightweight library that could do the job based on supported versions of OpenSAML. Furthermore, by using this small library, we reserve the right to take advantage of its other integration features with OAuth2 and OpenID Connect authentication providers to provide midPoint with greater flexibility in supporting different authentication mechanisms.

In the near future we are hoping to contribute this extension back to the midPoint codebase. In the meantime, if you would like to learn more about this extension and the feasibility of adopting it for your midPoint deployment, please reach out and contact Unicon for more information.