SATOSA – a Modular Proxy

What Is SATOSA?Application Why SATOSA?Services

What Is SATOSA?

SATOSA is an authentication tool much like Shibboleth. In fact, SATOSA is a proxy, which operates between a service and an identity provider. It forwards the communication between the two or, in the case of different authentication protocols, enables it. Technically speaking, such a proxy is made up of two components: an IdP, which is able to communicate with the actual service, and a SP, which is in touch with the actual IdPs. The two parts of the proxy (IdP and SP) internally exchange the communicated information thereafter.

But SATOSA does not only allow you to forward the communication, but it also allows you to alter certain aspects of it: Attributes can be changed or requested from additional data bases, and you can even switch the authentication protocol that is being used. The modification of certain attributes can be necessary for example if only some of the attached IdPs report the mail address of the user, but the corresponding SP needs them from all users. In this case, SATOSA can alter the attribute of the mail address after first requesting it from a different data base.

When SATOSA “translates” between different authentication protocols, it looks something like this:

Structure Satosa: SP (Service Provider) component calls on IDPs (OIDC oder SAML) and the IdP (Identity Provider) component talks to the SPs using SAML or OIDC

What Can Satosa Do?

SATOSA is often used to enable communication between a service and an identity provider, even if they do not share an authentication protocol. This is often the case when an institution like a university or a research institute wants to allow its users to log in using social IDs. The issue: Universities and other research institutions often use SAML IdP to authenticate their users, while for social IDs like Facebook or Google, OpenID Connect or OAuth2 is more popular. By interposing a proxy like SATOSA, a smooth execution of the communication despite the different authentication protocols is possible.

Furthermore, SATOSA is frequently used for digital infrastructures like the AARC project, which is aimed at linking research and researchers: The AARC blueprint architecture, which serves as a prototype for research infrastructures, contains as a proxy as a central component, which simplifies the combination of the different research infrastructures. The idea behind this is that all services which are already a part of the research infrastructure are summed up behind one community proxy, so they can appear as one entity to other infrastructures. This not only reduces the complexity for each service, but also allows to implement actions at a central point which will then affect the entire infrastructure.

Photo: Peter Gietz draws a draft for an infrastructure of identity management system

What Are the Advantages of Satosa?

In contrast to other authentication tools (like Shibboleth or simpleSAMLphp), SATOSA was explicitly designed as a proxy and therefore offers many solutions out of the box. Satosa has a modular structure and consists of three layers:

Backends make up the SP component of the proxy and ensure the connection to the IdPs, where the user can authenticate him/herself. Satosa already includes generic backends for SAML and OIDC, as well as specific backends for many social IdPs.
Frontends make up the IdP component and communicate with the services. SAML and OIDC are already implemented here as well.
Microservices are located between the backends and the frontends and can perform a variety of functions. While one microservice initiates that additional attributes of a user are requested from a data base, another one ensures that a user has to approve the disclosure of his/her attributes (consent).

The modular structure of Satosa allows to integrate additional features with little expenses. This means that new authentication options like an LDAP authentication can be easily implemented.

What SATOSA Services Does DAASI International Offer?

Relating to SATOSA, DAASI International offers the following services:

Consulting: DAASI International will help you to find out if SATOSA is right for you and how best to put your project to work.
Conception: Once you chose SATOSA, DAASI International is by your side while creating your first draft.
Development: If any of your wishes are not fulfilled by SATOSA so far, DAASI International is happy to develop micro services for a variety of potential tasks.
Integration: As an experienced software developer, DAASI International reliably takes care of the implementation and integration of the selected SSO solution into your existing IT structure.
Operation and Support: During ongoing operations, DAASI International supports you through monitoring, reporting, consulting, maintenance, and the implementation of updates. Should any problems concerning SATOSA arise, DAASI International will be a competent partner at your disposal.
Training: The experts of DAASI International are happy to teach you and your employees about the structure, handling, and the maintenance of SSO systems.

Furthermore, DAASI International is happy to assist you with any questions concerning federations, SATOSA or Identity and Access Management.

You are looking for consulting, training, or support for SATOSA?

As an expert on the topic, DAASI International is happy to assist you with any questions.

Get in touch!

SATOSA – a Modular Proxy

What Is SATOSA?

What Can Satosa Do?

What Are the Advantages of Satosa?

What SATOSA Services Does DAASI International Offer?

You are looking for consulting, training, or support for SATOSA?

IDENTITY & ACCESS MANAGEMENT

DIGITAL HUMANITIES

COMPANY

CAREER