This is a brief introduction to AAF Rapid Connect and how it relates to the Security Assertion Markup Language 2.0 (SAML2) protocol. The AAF launched Rapid Connect in 2013 as an alternative method of connecting web services to the Federation using JSON Web Tokens (JWT).
Rapid Connect is a lightweight method, compared to Shibboleth or simpleSAMLphp, of connecting services or applications to the Federation. Rapid Connect is suitable for restricted environments or for services that do not require the advanced features available with SAML2. Rapid Connect is also suitable for connecting applications running on PaaS providers to the Federation. PaaS providers include Heroku, Google App Engine and RedHat OpenShift.
SAML2 is the primary method the AAF employs to join services to the federation. The SAML2 protocol is a standard for exchanging authentication and authorisation information between security domains participating in a trust relationship. SAML2 includes many features and security options and permits user access to a range of service providers after successfully authenticating at an identity provider. SAML2 uses XML and XML DSIG, which contribute to the size of SAML assertions, and XML canonicalisation contributes to complexity.
JSON Web Token
A JSON Web Token (JWT) is a compact URL-safe method to pass identity information (of the authenticated user) between an identity provider and a service provider. JWTs provide a simple, secure, token format that is small enough to fit into HTTP headers and query arguments in URIs. JWT achieves this by supporting a simpler token model than SAML and using the JSON object encoding syntax, securing tokens using Message Authentication Codes (MACs), and employing digital signatures with a smaller (and less flexible) format than XML DSIG. JWTs are not a replacement for SAML assertions but are suitable when ease of implementation or compactness are considerations.
AAF Rapid Connect
AAF Rapid Connect is the translation agent between SAML2 assertions and JWTs and transforms requests and responses between a service and a user. A summary of the authentication flow follows:
A user accesses the application and its public content.
When authentication is necessary, the service directs the user's browser to a unique URL within the Rapid Connect service. Triggering the redirect can occur by:
presenting the URL as a link for the user to click on, or;
code within the application providing the user's browser with a 302 response which directs the browser to the URL.
Rapid Connect recognises the unique URL and redirects the browser to the user's home institution or the AAF Discovery Service.
The user will authenticate at their institution's identity provider as they would normally.
On successful authentication, the identity provider directs the browser to the Rapid Connect service which validates the user’s identity information and generates a unique and signed JWT for the application, using the secret set at service registration.
The generated JWT will be sent via HTTP POST in the browser to the callback endpoint for the application.
At registration of a service with Rapid Connect, the following components are pre-configured:
The unique URL for directing a user’s browser to Rapid Connect. This URL can be appended with a specific identity provider’s EntityID if known, otherwise the user is sent to the AAF Discovery Service to select their home organisation.
A secret for signing responses sent to the application.
JWTs are suitable for services with restrictive environments or services not requiring the advanced features of the full SAML2 protocol. Rapid Connect is simple to use because of JWTs feature reduction. Details on AAF Rapid Connect and integration steps, with a summary of suitable JWT libraries for different programming languages, is available from https://rapid.aaf.edu.au/developers. These languages include:
Technical background on SAML Shibboleth
More information on Rapid connect