midPoint SSO Integration with SAML2 Identity Providers

The Unicon Team

midPoint is a comprehensive Identity Governance and Administration (IGA) platform, used by organizations around the world to deal with Identity Provisioning, Identity Governance and Compliance, along with Access Management. As for the identity being a security perimeter, midPoint keeps an organization's internal network and external resources safe.

The most important features of midPoint are:

  • Identity Governance
  • Security Auditing and Reporting
  • Organizational Structure Management
  • Credential Management
  • Workflow
  • Entitlement Management

midPoint provides different types of authentication mechanisms. You can use default authentication (against local midPoint DB) or LDAP (AD) authentication. It can be also configured as a part of your SSO solution, such as CAS. Since midPoint uses the Spring Security framework for matters of authentication, it can be easily integrated with any other SSO framework supported by Spring Security features.

Unicon has developed an extension to enhance the authentication mechanisms of the platform. Tapping into midPoint's authentication engine and Spring Security, Unicon has developed an SSO integration with SAML2-compliant identity providers, such as the Shibboleth identity provider. This extension builds on top of Spring Security where the SAML request and response processing is handled by the pac4j library. pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles, and manage authorizations in order to secure web applications. The extension through pac4j essentially provides midPoint with an embedded Java-based service provider whose activation in midPoint is handled via a profile. Configuration is managed alongside other midPoint settings, recognized by midPoint and Spring Boot.

This extension is built on top of pac4j for good reason. As of this writing today, the Spring Security SAML extension project of Spring Security does not yet support the most recent versions of OpenSAML. If this were true, it is likely that the midPoint SAML extension would have simply utilized the Spring Security SAML library for its SAML processing and management of requests and responses. However, while Spring Security development continues to move forward, pac4j presented itself as an available lightweight library that could do the job based on supported versions of OpenSAML. Furthermore, by using this small library, we reserve the right to take advantage of its other integration features with OAuth2 and OpenID Connect authentication providers to provide midPoint with greater flexibility in supporting different authentication mechanisms.

In the near future we are hoping to contribute this extension back to the midPoint codebase. In the meantime, if you would like to learn more about this extension and the feasibility of adopting it for your midPoint deployment, please reach out and contact Unicon for more information.

The Unicon Team

The Unicon Team

Unicon is a leading technology consulting firm focused solely on the education ecosystem with more than 25 years' experience partnering with institutions and companies to create learner-centric digital experiences that transform the Learner Journey. Organizations leverage our domain expertise across numerous disciplines, including Amazon Web Services, IAM, analytics, standards-based integration, learning technology, and learning content. We believe in the power of technology to expand access to education, and in the power of education to create a better future for all.
Top