Skip to end of metadata
Go to start of metadata


Currently midPoint does not have a convenient SSO support. However as midPoint is built on top of Spring Security there are ways how to integrate midPoint to SSO. This page describes methods how it can be done.

SSO Support in MidPoint

If you are interested in a proper SSO support then your best option is to contact the Evolveum team. You can support this feature by purchasing Platform subscription or even contribute the code. Or even if you purchase a midPoint subscription you can use your influence to prioritize the development of SSO integration.


In order to enable SSO support in current midPoint you need to modify a couple of files in midPoint source code and rebuilt it. Therefore please make sure you can installing midPoint from source code.

Currently midPoint has no SSO plugin of its own. The recommended way is to use an SSO agent in front of midPoint. E.g. to configure Apache HTTP server as a reverse proxy for midPoint and place an SSO agent into Apache. The agent should be able to inject a HTTP header with a username of currently logged-in user. Then midPoint can be configured to accept the "authentication" based solely on the presence of the username in the HTTP header.

The Spring Security configuration for midPoint is in the gui/admin-gui/src/main/webapp/WEB-INF/ctx-web-security.xml file. This file needs to be modified.

Basically what needs to be done is to uncomment the following line:

and adjust the principalRequestHeader parameter in the requestHeaderAuthenticationFilter bean:

You may also want to adjust logout URL to point to the SSO single-logout page:

Then rebuild and re-deploy midpoint.

Limitations and Notes

Even though this method works reasonably well there are some limitations:

  1. The username provided by the agent needs to be the same as the name of the user object in midPoint. There is no support for name mapping now. As the SSO system will usually be a configured resource in midPoint a care should be taken to map midPoint usernames to the resource usernames one-to-one without any transformation.
  2. Web services and REST: Web services have their own authentication and authorization (WS-Security). As does REST. These cannot be currently connected to the SSO. MidPoit does not yet support STS and/or OAuth. Therefore the services are still limited to username/password authentication. However do not forget to specify SSO enforcement exceptions (e.g. non-enforcement list) for the service URLs:
    1. /model/* and /ws/* for web services
    2. /rest/* for REST service

See Also

  • No labels