Spring Security and External Application for Authentication (Single-sign-on)

[dcmax12]

Hello,

I have a Spring based application that exposes 3 authentication choices for the user. Form based, Facebook Connect and a single-sign on from an external application. I'm not sure of the proper way to authenticate the last option.

Application A (Spring Security based) Application B (non-spring based legacy app)

Security Flow: -when a secured resource in application A is requested and the user is not authenticated, application A will redirect to application B where the user will be prompted with a login form and flow through application B's security flow. Application B will then do a HTTP POST to application A (via a callback url param sent with initial request) that consists of XML that will be validated in application A for its validity and if it passes the user should be authenticated in application A. What is the best approach for this scenario using Spring Security?

[Rob Winch]

This sounds very similar to the SAML flow. I would take a look at the Spring Security SAML code. You could also look at the OpenIDAuthenticationFilter or CasAuthenticationFilter code which both do Single Sign On and have a similar workflow.