Enterprise Integration Zone is brought to you in partnership with:

I am currently working as a Software Architect and a Senior Manager at WSO2. I have spoken in numerous conferences - OSCON 2009, ApacheCon 2009, WSO2Con 2010, WSO2 SOA Workshops and WSO2 Security Workshops. I am a graduate from University of Moratuwa, Sri Lanka and in 2008 I completed my Masters specialized in software architecture from the same University. I also gained professional qualifications in BCS and ACS as well as certifications in SCDJWS, SCJP, SCBCD, SCWCD, MCSD, OCA, and CCNA. Prabath is a DZone MVB and is not an employee of DZone and has posted 15 posts at DZone. You can read more from them at their website. View Full User Profile

Security Patterns: Single Sign On across Web Applications and Web Services

09.10.2012
| 4389 views |
  • submit to reddit
The requirement is to have single sign-on across different web applications; once the user is authenticated he should be able to access all the web applications with no further authentication (by himself). Also, the web applications need to access a set of back-end services with the logged-in user's access rights and the back-end services will authorize the user (end user) based on different claims, like role.


 1. User hits the link to the WebApp.

 2. WebApp finds out user is not authenticated and redirects to the SAML2 IdP.

 3. SAML2 Idp checks whether the user has an authenticated session - if not will prompt for credentials, once authenticated there ,user will be redirected back to WebApp with a SAML token, with the set of claims requested by the WebApp.

 4. Now, the WebApp needs to access a back-end web service with the logged in user's access rights. WebApp passes the SAML token to the PEP based on WS-Trust and authenticates it self [WebApp] to the PEP via trusted-sub-system pattern.

 5. PEP will call XACML PDP to authorize the user, based on the claims provided in the SAML token.

 6. XACML PDP returns back the decision to the PEP.

 7. If it's a 'Permit' - PEP will let the user access the back-end web service.
Published at DZone with permission of Prabath Siriwardena, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)