Single instance of PicketLink for multiple applications

Question

My intention is to implement with PicketLink something similar to what Atlassian has done in Crowd.

In more detail, I want single PicketLink instance to provide authentication, authorization, SSO and IdM services to multiple Java EE applications. The point here is to have a single place for JPA/LDAP configuration, custom IdM model and custom authenticators (all the above will be shared between client applications).

As far as I've learned from the documentation, PicketLink doesn't offer this out of the box. I would imagine client applications using PicketLink APIs, but the actual calls being proxied to master PicketLink instance via RMI/Hessian/REST etc. I would appreciate any expert opinion on whether this architecture will be viable, as well as any other criticisms and suggestions.

Answer 1

You are looking for SAML

SAML is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

PicketLink supports SAML

You can create a PicktLink instance (basically a JavaEE app) that acts as an identity provider. This instance will the " ... single place for JPA/LDAP configuration, custom IdM model and custom authenticators ". The other JavaEE applications will act as Service Providers. These apps can consume the SAML-based identity service provided by the identity provider:

Some remarks:

• There are open source or proprietary identity providers you can use like shibboleth
• SAML uses HTTP as underlying protocol
• SAML is more or less universal. All kinds of technologies can use SAML. You are not limited to Java.
• From a security standpoint it's always better to use well-known, well-established technologies instead of writing your own. SAML is well-known. But writing your own Identity Provider is risky.