Cross Protocol Single Sign On

A major player in the global finance industry, approached miniOrange, with a very specific requirement for their newly built Drupal Website.

A combination of the Drupal SAML SP Module and the miniOrange IDP working in tandem, provided a never before proposed solution, thus allowing the Finance Giant to cater to their masses. 

They wanted us to develop a novel solution for Cross Protocol Single Sign On.

Key Requirements:

• The Drupal site, to act as the Service Provider but, strict requirement of using SAML protocol. And setting up configuration with an Identity Provider, that ONLY supports OAuth 2.0 SSO protocol. 
• SAML SSO request initiated from the Drupal site should be processed by the Identity provider (IDP) in the standard OAuth 2.0
   

System Flow:

Key Challenges:

• Communicating between the SAML Compliant SP and OAuth Compliant IDP
• Conversion of the SAML Request to equivalent OAuth Request, and OAuth Response back into SAML Response.

Implementation:

The  services picked up, to get this functionality up and running, were:

1. miniOrange Drupal SAML SP
2. miniOrange Identity Provider

The primary Drupal site was configured as the Service Provider using the miniOrange Drupal SAML SP module installed on it. This module communicates with the miniOrange IDP, which processes all the requests. 

In order to make the SAML SSO request, readable by the OAuth IDP, it had to undergo some restructuring. 
Enter, miniOrange IDP - the Identity Broker. 

The miniOrange IDP acts like a brokering service/Identity broker. It takes in the SAML SSO request from the Drupal site, and converts it to an appropriate OAuth SSO request, which can be read by the OAuth Supporting IDP. 
This conversion is a lossless conversion, i.e. it passes on all the data that is sent by the SP to its intended destination - the Identity Provider. (Without storing any data on the miniOrange server) 

This restructured SSO request is then passed on to the OAuth compliant Identity Provider, which then follows the standard 3 stage OAuth flow for processing the SSO request. Once this is done, the OAuth Response is then sent back

This response is of course received by the miniOrange IDP, which processes the OAuth response and generates an appropriate SAML equivalent - indeed losslessly. This is then forwarded back to the Drupal Website, and based on which the user session is created and he/she gets logged in. 

When any user, initiates the SSO process from the SP, he/she will not know the presence of the identity brokering service - miniOrange IDP - in the SSO flow. For the user, the flow will go from the website, wherein the login link is present, and then be redirected to the Identity Provider page, wherein they will punch in their credentials and after due validation, they will be logged into the Service, they were originally trying to access. 
 

Key Takeaways:

This solution allows major players, supporting opposing protocols, to communicate and get the request processed as if nothing was different. 
A solely SAML Compliant Service Provider, can get its users verified and get them logged in using a solely OAuth Compliant Identity Provider.