SSO and Federation at the Edge
Organizations often centralize employee and partner sign-in in an identity provider (IdP). Applications behind a reverse proxy, load balancer, or API gateway may delegate authentication to that IdP using SAML or OpenID Connect (OIDC). This page stays vendor-neutral; cloud binding is in AWS IAM and Azure identity.
Why “at the Edge”
Section titled “Why “at the Edge””Edge here means the first HTTP(S) tier users hit: CloudFront, ALB, API Gateway, Application Gateway, nginx, or Ingress. That tier can:
- Terminate TLS and enforce WAF or rate limits.
- Redirect unauthenticated users to the IdP (OIDC authorization code flow).
- Validate tokens or SAML assertions before traffic reaches the app.
Keeping session and token validation consistent at the edge reduces duplicated logic in every service — at the cost of coupling release and config to that tier.
SAML 2.0 (Sketch)
Section titled “SAML 2.0 (Sketch)”- User requests a protected URL.
- Service (or edge) redirects to IdP with a SAML request.
- User authenticates at IdP.
- IdP POSTs a SAML assertion to the Assertion Consumer Service (ACS) URL.
- App (or middleware) validates signature, audience, time window, and issues an app session.
Operators care about metadata XML exchange, clock skew, certificate rollover on the IdP, and ACS URL correctness behind load balancers (HTTPS offload changes URLs if misconfigured).
OIDC (Sketch)
Section titled “OIDC (Sketch)”OIDC builds on OAuth 2.0:
- User is redirected to IdP authorize endpoint.
- User signs in; IdP redirects back with an authorization code.
- Backend exchanges code for tokens at the token endpoint.
- ID token (JWT) proves identity; access token may call APIs.
Operators care about client ID/secret or mTLS, redirect URI allowlists, token expiry, and JWKS rotation for signature verification.
Reverse Proxy Integration
Section titled “Reverse Proxy Integration”Common patterns:
- OAuth2 Proxy-style sidecars or central proxies validate cookies and refresh tokens.
- nginx
auth_requestsubrequest to a small auth service that understands OIDC. - Managed API Gateway or App Service authentication handles OIDC with configuration only.
Align cookie domains, SameSite, and TLS termination with your IdP’s requirements.
Cloud Pointers
Section titled “Cloud Pointers”| Platform | Where to read |
|---|---|
| AWS IAM, federated users, roles | IAM |
| Azure AD / Entra ID, apps, SSO | Azure identity |
| TLS at the edge | TLS and Certificates, HTTP for Operators |
Summary
Section titled “Summary”SAML and OIDC are the two dominant browser SSO protocols. Operating them well means correct URLs behind TLS termination, IdP cert rotation, token validation, and observability on 4xx/5xx at the edge — not only in the app.