SSO configuration with SAML Web Browser SSO and Web inbound propagation

[Charlotte-Holt]

From LC: New concept topic about This is old but a lot of big companies use it. Another form of SSO that enterprises use so that end-users can sign on once and a tokens track their identity so they don't need to keep logging in to different systems (as long as SSO is set up for each system).

See the KC topic for information: https://www.ibm.com/support/knowledgecenter/SSD28V_liberty/com.ibm.websphere.wlp.core.doc/ae/cwlp_saml_web_sso.html. Check that all the diagram scenarios are relevant and that they're framed correctly for cloud-native microservices scenarios. Also, provide more introduction to each scenario to make it clear how/why they're different from each other and to help the developer know which is relevant to them.

Sources of information:

• https://www.ibm.com/support/knowledgecenter/SSD28V_liberty/com.ibm.websphere.wlp.core.doc/ae/cwlp_saml_web_sso.html
• https://www.ibm.com/support/knowledgecenter/SSD28V_liberty/com.ibm.websphere.wlp.core.doc/ae/twlp_config_saml_web_sso.html
• https://www.ibm.com/support/knowledgecenter/SSD28V_liberty/com.ibm.websphere.wlp.core.doc/ae/twlp_saml_web_inbound_prop.html

[Rwalls1]

Link to current draft: https://draft-openlibertyio.mybluemix.net/docs/ref/general/#/docs/concept/sso-config-saml.html

[Rwalls1]

@chunlongliang-ibm Please review the updated draft: https://draft-openlibertyio.mybluemix.net/docs/ref/general/#/docs/concept/sso-config-saml.html

[Rwalls1]

@chunlongliang-ibm The latest changes are now ready for review: https://draft-openlibertyio.mybluemix.net/docs/ref/general/#/docs/concept/sso-config-saml.html

[ManasiGandhi]

@Rwalls1

A concise and well written article. some suggestions

• Change, 'Security Assertion Markup Language (SAML) is an OASIS open standard for representing and exchanging user identity,' to, 'Security Assertion Markup Language (SAML) is an OASIS open standard to represent and exchange user identity' to avoid gerunds.
• Elaborate on OASIS as 'Organization for the Advancement of Structured Information Standards
• 'SAML provides the flexibility to configure multiple scenarios, such as Web browser single-sign on (SSO)'. In this sentence, provide some examples of multiple scenarios besides SSO before narrowing down on SSO in the next sentence.
• Change, ' With the SP-intiated authentication flow, the user starts at the service provider for a request to a secured web application,' to, ' With SP-intiated authentication flow, a user starts at the service provider for a request to a secured web application.' to maintain consistency with the next sentence and reduce the number of 'the's in the sentence.

[Rwalls1]

@lauracowen Please review: https://draft-openlibertyio.mybluemix.net/docs/ref/general/#/docs/concept/sso-config-saml.html

[chirp1]

Hi Richard, I did a quick review of the article, and as you and I discussed, you'll need to rewrite the article, maybe starting with your original draft. Thanks! -- Karen

[Rwalls1]

@chunlongliang-ibm Please review: https://draft-openlibertyio.mybluemix.net/docs/ref/general/#sso-config-saml.html

[Rwalls1]

1204

[Rwalls1]

@chunlongliang-ibm Please review the latest update: https://draft-openlibertyio.mybluemix.net/docs/ref/general/#sso-config-saml.html

[chunlongliang-ibm]

looks good.

[Rwalls1]

@lauracowen Please review: https://draft-openlibertyio.mybluemix.net/docs/ref/general/#sso-config-saml.html

[Rwalls1]

@ManasiGandhi Please review: https://draft-openlibertyio.mybluemix.net/docs/ref/general/#sso-config-saml.html

[ManasiGandhi]

@Rwalls1 Well written! One suggestion. In the second paragraph it says "The SAML assertion provides a vendor neutral way of transferring information between federation business partners." Can you add a hyphen to term' vendor neutral' ( vendor-neutral'). If possible change the term itself to avoid using the term vendor.

[lauracowen]

• Related to what Manasi said above, "The SAML assertion provides a vendor neutral way of transferring information between federation business partners." can you change "vendor" to something like "app server-neutral" or change it to something like "a standards-based way" or reword as something like "compatible with any standards-based app server". But check with, say, Bruce that that's accurate. Vendor usually refers to IBM, Red Hat, Payara, etc. But Open Liberty isn't being sold as such so it's not really accurate - and from a user perspective, they don't care - they do care whether the technology/standard is compatible across, say, different app servers (if that's the case).
• I'm not sure what "federation business partners" means though - can you clarify? The sentence after it is nice and clear, it's just that "federation" one that's not.
• in the second paragraph, when you explain what a SAML assertion is (which is nice and clear), could you give an example of a "service provider"? eg a website. It just makes it that bit easier to follow and less abstract (the diagram uses "service provider" and "content site" which are both a bit abstract but I can live with that as long as the text is more concrete).
• Can you reduce the amount of abbreviations used? although it's a pain to keep typing, it's way easier to understand a sentence that talks about "service provider" rather than "SP" (with which you have to keep thinking back to map it to "service provider"); "identity provider" would be ok as "ID provider" but that's more meaningful than "IdP". Also "Single Logout" not "SLO". If the abbreviation is commonly recognised, it's fine to put it in parentheses but don't use it routinely in a topic like this in which every other sentence ends up containing an abbreviation.
• Can you provide the steps in the flow as text not in the image? (crop the steps out of the image) For accessibility reasons mainly.
• "but does have a federated account that is managed by a third-party IdP" could this third-party be an LDAP user registry or social media login or similar? Or is that something different? If it can be, could that be given here as an example?

The topic in general looks good though. So if you can address the specific points above, I think we're good to go on this. Thanks

[Rwalls1]

@lauracowen Please review: https://draft-openlibertyio.mybluemix.net/docs/ref/general/#sso-config-saml.html

[lauracowen]

Thanks

[lauracowen]

Hi Richard,

Alasdair and I took a look at some of the SSO topics last night and we agreed we need to make some changes to how the SSO info is presented. We currently have too much info about the abstract concepts that people could better obtain elsewhere. I'm going to chat with Charlotte about it this afternoon but please can you hold off working on this topic in the meantime?

Thanks,

Laura

[lauracowen]

Superceded by #1676 so I'm closing this issue.