Getting Started With flexmls SSO

To integrate your site with the flexmls Web IdP, you first need to decide on which SP software package is best suited for your architecture. There are two main methods of implementing a SAML SP: web server modules, and programming APIs.

Web Server Module

With this method, the SAML protocol is handled underneath the web application with a plugin or module. The software package takes control of a secured section of the web application. It handles the SAML protocol and redirects the browser, then provides the SAML attributes to the web application in environment variables.

The advantage to this method is that very little programming changes are required in the web app. The user is already authenticated when the web scripts are loaded, so the only change needed is to use the new variables where appropriate.

The disadvantage is that some software packages are more difficult to set up and configure than the API method. Web server modules are also more difficult to implement in a clustered environment. The login session is initiated on a single web server, and if that user is load balanced to a different machine the session has to be reloaded from the IdP. Some SPs do support session clustering, but another solution is to use “sticky” sessions in the load balancer.

Programming API

SAML APIs are software libraries for specific programming languages that implement the SAML protocol. After installing and configuring the library, the web application calls various functions in the library to redirect the browser and return the SAML attributes. This requires more programming changes in the application, but can be easier to set up. Using an API can also make it easier to use in a clustered environment since the web application handles the sessions, and most likely some type of shared session storage already exists. Much of the details depend on the specific architecture.

