Xdmod integration and SSO authentication methods for each service

Our site now has updated xdmod to a version supporting integration with ood.
From the customization page, the integration seems almost trivial, especially if skipping the job composer elements. This suggests to me that we rely on the following feature of xdmod:

Single Sign-on (SSO) Embedding

Open XDMoD allows for single sign on embedding so that end users do not have to explicitly sign in to XDMoD after they have already signed in to the other integrated application. When SSO is configured with the same IdP XDMoD can be embedded in an iframe at the login endpoint and iusers will be automatically logged in.

Is this the key concept? And if so, does SSO need implemented by the same method for both the xdmod and the ondemand servers? Our new install of XDMOD has not yet been integrated to our local SSO, and the XDMOD doc suggest it’s simpleSAML or the highway. But the ood discourse topics over the past year suggest more of a BYO-SSO implementation approach is fine.

Thanks – all guidance is appreicated.
~ Em

Yes.

Not only the same method, but by the same server. That’s the single in single sign on. Both systems (XDMoD and Open OnDemand) authenticate with the same Identity provider (IDP).

SAML is a broad specification (as in, it’s an RFC). Open ID Connect (like Keycloak, Dex, Google auth, and many others) is an implementation of SAML. Shibboleth is another implementation. Though I believe our integration is buggy with Shibboleth and I’m unable to test and confirm these bugs.

What’s your authentication system? If you use Open ID Connect, I can pull our configs as more examples.

We went with CAS ages ago. I was hoping to stick with CAS for our ood server, and implement SSO via SAML.

I seem to remain confused, after reading the xdmod docs, as to what information the ood and xdmod server exchange (if anything). They each perform auth with our campus SSO server, but i imagine the signin to ondemand then triggers a comm from ood to xdmod with user info, and then xdmod verifies identity via Case SSO before sharing user-specific info to the ood server for display through the dashboard. Oh, the hazards of a non-web developer as an ood admin…

This happens through CORS an http thing - Cross-Origin Resource Sharing (CORS) - HTTP | MDN

The flow is like this:

  • login to ondemand and get some token/cookie for that website
  • your own local browser then makes a request to XDMoD with that same token/cookie
  • XDMoD responds because the request has the token/cookie with it and it’s been configured to share resources across origins (CORS) - Open XDMoD - Integrations

Thanks, Jeff – I’ll focus on getting SSO implemented on our XDMOD server, and then just see if using CAS for the ondemand server satisfies the requirements for the integrations. From this helpful discussion with you, I don’t see why the flow cares about what package is used to implement SSO on the xdmod and ondemand servers.

Thanks again – I’ll update from our experience