IT:AD:Design:Blueprints:Unified Session Handling
Summary
There are several different mechanisms to sign in to a system. SAML, OpenID, etc.
Each one will cause another Vendor dependency on various Principals.
This is not a long term maintainable.
A better solution is to use the vendor client library for what it's good at – and then convert it to an app specific Principal that the rest of the logic can rely on (actually, it just will be the AOP Authorisation Service on the Application's Facade…but it's still a good enough reason to allow the logic there to have to deal with only one kind of AuthZ library).
Notes
User requests resource
Use a custom Session Handler.
Proposed Strategy:
- First request was unauthenticated by OIOSAML. Therefore, no IPrincipal.
- CustomHandler does not see ST cookie, so doesn't do anything either.
- UrlAuthorisationModule checks, sees that request is for protected resource – returns code as 401
- Which OIOSAML catches in End Request, and redirects to IdP.
- WARNING: CHECK: As long as response was final/closed this won't be caught/reprocessed by CustomHandler.
- Which (presumably) OIOSAML catches in End Request, and redirects to IdP.
- IdP sooner or later (after user enters correct name/pwd) returns it to OIOSAML RACS, which converts it to OIOSAML Principal, and sets OIO cookie
- Handler will be after Modules…so this will be a problem.
- Have to wrap their Handler with our handler I suspect in order for us to do the following:
- convert their Identity to an AppsIdentity. discarding OIOSAML identity. Or could embed it within itself?
- sets App ST cookie (so there are now 2 cookies…ours and original from OIOSAML).
- See: https://view.softwareborsen.dk/Softwareborsen/oiosaml.net/trunk/src/dk.nita.saml20/dk.nita.saml20/Protocol/Saml20SignonHandler.cs?view=markup 0. UrAuthorisationModule is now satisfied.
0.Next request.
- OIOSAML converts OIOSAML token into OIOSAML Identity.
- * IMPORTANT * Not sure where OIOSAML is storing info as to Identity. And what's the inpact on using different front-end servers?
* CustomHandler – as Modules are processed in the order they are registered – converts OIOSAML Module to AppIdentity (same as above) UrlAuthenticationHandler works against AppPrincipal and is satisfied.