single-sign-onsamldata-sharing

How to share data between two applications with SSO?


This is more of a philosophical/architecture question than "code" question.

Let's imagine that we have 2 applications (Service providers) with Single Sign-On. There is obviously data they have to share, mainly the information of the users (username, email, etc). This data is managed by the Identity Provider and "provided" to the service providers when the authentication is successful (the basics, I guess).

Let's also imagine that these 2 applications have their own database itself in which they match each user retrieved from the IDP but each database has their own info (columns) that only belong to their associated application (not to the other!). But (another but), there are some other fields that both have to access (besides username, email, etc). For example, the first application has a list of available companies and the second application needs that information when creating a new user to associate that user with an available company. How should that data be shared? Is that the best/correct way to create an API to provide this type of info between applications? I'm mostly talking about lists of things that are too big to be sent through assertions.

Thanks in advance!


Solution

  • The SAML way is to use NameID as the "primary key" to map a user in the IDP to a user in the application.

    e.g. Email could be sent as the NameID for application 1 and UPN could be sent as the NameID for application 2. These would be in the assertions.

    Getting info. between applications is not part of an IDP (other than using assertions) so this would have to be done via API.