syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <>
Subject Re: [DISCUSS] - Third party JWT SSO integration?
Date Tue, 27 Jun 2017 08:24:12 GMT
On 26/06/2017 18:07, Colm O hEigeartaigh wrote:
> Hi all,
> It occurred to me that we can easily support SSO using third party JWT
> tokens. Instead of (or as well as) having a single "jwsSignatureVerifier"
> in securityContext.xml, we could have a map of issuer ->
> jwsSignatureVerifier Objects.
> We could get the verifier to use to verify the signature by querying the
> map using the issuer of the token. If this succeeds, and if the subject is
> a known user, we could allow the call to proceed.
> Alternatively, we could have a separate service which translates third
> party JWT tokens into local SSO tokens.

Hi Colm,
your idea seems interesting.

Instead of providing a map in securityContext.xml, I would rather enable 
[1] to dynamically discover JwsSignatureVerifier implementations (or 
maybe a new interface of ours extending that, adding a getIssuer() method).
Moreover, the new interface extending JwsSignatureVerifier could also 
provide a method to resolve the JWT subject into Syncope username (known 
If you like, I can take care of this.

Please also note that such SSO would work only at REST level; in order 
to enable Admin Console or Enduser UI to that, something like the SAML 
2.0 SP Agent [2] will need to be provided.

As people started asking for 2.0.4 [3][4] and CXF 3.1.12 is under vote, 
I think we should start finalizing, e.g. postponing new features and 
improvements to 2.0.5. But maybe this one can still fit.



Francesco Chicchiriccò

Tirasa - Open Source Excellence

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail

View raw message