Single sign on failed to forward to service provider after authentication


i tried to create an example for the SSO feature of 6.3(RC2) which i find quite fascinating. You can find it here:

It works almost, but one thing did not work. I assume i configured the application wrong, but you might have a look:
IDP: auth-app
SP: order-app

When i open http://auth-app:8081/app i will get redirected to the idp login (http://auth-app:8081/app/idp), which works. After correct login, i get forwarded to the auth-app (which is fine as well). Now when i either directly go to http://order-app:8082/app i will get redirected to http://auth-app:8081/app (since i’m already logged in, not to idp, which is correct). But what is wrong is that i will not be forwarded to http://order-app:8082/app. The same thing happens, when i logout from the auth-app before.
So going to http://order-app:8082/app gets me to idp login. After the successful login, i will be forwarded to http://auth-app:8081/app (which is wrong).

For the example i created a shell script that you can execute to start the environment (it requires to have docker installed for postgres installations, as well as entries for “auth-app” and “order-app” in /etc/hosts).

Another question: Is there a particular reason, the IDP login does not use Vaadin for UI? This would be probably the first thing for me to customize, to get the normal login screen back up (with the features like the loading indicator on the top, the buttons etc.)

Thanks in advance!


1 Like

Please change your “cuba.webAppUrl” in all the applications to be the same as mentioned in “cuba.idp.serviceProviderUrls”, if it ends with “/” in “cuba.idp.serviceProviderUrls” it should end with “/” in “cuba.webAppUrl”.

Note that several problems with IDP are already fixed in 6.3-SNAPSHOT versions; please take a look at it again after 6.3.0 final.

IDP login form is implemented without Vaadin to be as lightweight as possible and compatible with any third party service providers. It uses only simple HTML markup and minimal JS code + web service and can be customized easily without recompilation of Java code.

Hi Yuiry,

will take a look at it in the next days.

Thanks for the explanation…