We are currently developing an application for a customer. The project has the restriction that we shall deliver only deployable WAR/EAR files. The customer provides the infrastructure and doesn't allow much deviation from it.
The application will be deployed on JBoss EAP 7.0 and requires authentication with SAML. The current version is a single monolithic WAR file.
At the moment, we are in the process of splitting this monolithic application in separate applications because of multiple reasons (maintainability, deployment, code quality, ...). Unfortunately we do not know yet how to implement authorization with these given restrictions:
Customer IdP restrictions:
Each application has to authorize itself with the IdP to receive roles and assertions. With the current (monolithic) deployment this is no problem as we require only a single AssertionConsumerService.
But how can this be achieved with multiple deployments?
I tried to implement this with PicketLink SAML using the same security domain for all deployments. This works to the extent, that only one AuthnRequest to the IdP is issued and PicketLink creates a SSO session (JSESSIONIDSSO). But only the application that receives the AuthnResponse from the IdP has access to the SAML assertions. Also I couldn't find a way to let PicketLink listen for SAML responses on a path without deployment, e.g. on /sso/saml but applications reside under /apps/*.
Is there a way to implement this with PicketLink?