This documentation is outdated. It may no longer apply to recent midPoint versions.
SSO integration in midPoint 4.0 and earlier is unofficial functionality and it is not supported without a special support contract (see below). Therefore this is not part of official midPoint documentation and it is not updated.
MidPoint 4.1 will introduce official support for (some) SSO functionality in midPoint. See Flexible Authentication.
This functionality requires modification of midPoint build, or even modification of midPoint source code. Therefore it is not officially supported - unless the support is explicitly negotiated in subscription.
Currently midPoint does not have a convenient SSO support. However as midPoint is built on top of Spring Security there are ways how to integrate midPoint to SSO. This page describes methods how it can be done.
If you are interested in a proper SSO support then your best option is to contact the Evolveum team. You can support this feature by purchasing Platform subscription or even contribute the code. Or even if you purchase a midPoint subscription you can use your influence to prioritize the development of SSO integration.
In order to enable SSO support in current midPoint you need to modify a couple of files in midPoint source code and rebuilt it. Therefore please make sure you can installing midPoint from source code.
Currently midPoint has no SSO plugin of its own. The recommended way is to use an SSO agent in front of midPoint. E.g. to configure Apache HTTP server as a reverse proxy for midPoint and place an SSO agent into Apache. The agent should be able to inject a HTTP header with a username of currently logged-in user. Then midPoint can be configured to accept the "authentication" based solely on the presence of the username in the HTTP header.
The Spring Security configuration for midPoint is in the
gui/admin-gui/src/main/webapp/WEB-INF/ctx-web-security.xml file. This file needs to be modified.
Basically what needs to be done is to uncomment the following line:
<custom-filter position="PRE_AUTH_FILTER" ref="requestHeaderAuthenticationFilter" />
and adjust the
principalRequestHeader parameter in the
<beans:bean id="requestHeaderAuthenticationFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter"> <beans:property name="principalRequestHeader" value="SM_USER"/> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean>
You may also want to adjust logout URL to point to the SSO single-logout page:
<beans:bean id="logoutHandler" class="com.evolveum.midpoint.web.security.AuditedLogoutHandler"> <beans:property name="defaultTargetUrl" value="http://sso.example.com/logout"/> </beans:bean>
Then rebuild and re-deploy midpoint.
Even though this method works reasonably well there are some limitations:
nameof the user object in midPoint. There is no support for name mapping now. As the SSO system will usually be a configured resource in midPoint a care should be taken to map midPoint usernames to the resource usernames one-to-one without any transformation.