๐ค AI Summary
Enterprise open-source software (OSS) frequently lacks native support for standard authentication protocols such as SAML and OIDC, hindering seamless single sign-on (SSO) integration and creating security governance gaps. To address this, we propose and formally define the โAuth Shimโ architectural patternโa lightweight, external proxy service that transparently bridges enterprise identity providers (e.g., Okta) with standalone OSS without modifying application source code. The Auth Shim programmatically translates authentication protocols via management APIs and automatically maps Identity and Access Management (IAM) groups to fine-grained Role-Based Access Control (RBAC) policies. Evaluated in a production Adobe environment, the pattern successfully integrated an open-source business intelligence tool with corporate SSO, enabling fully automated user provisioning and permission management. This eliminated manual configuration, strengthened compliance with security policies, and significantly improved operational efficiency.
๐ Abstract
Open-source software OSS is widely adopted in enterprise settings, but standalone tools often lack native support for protocols like SAML or OIDC, creating a critical security integration gap. This paper introduces and formalizes the Auth Shim, a lightweight architectural pattern designed to solve this problem. The Auth Shim is a minimal, external proxy service that acts as a compatibility layer, translating requests from an enterprise Identity Provider IdP into the native session management mechanism of a target application. A key prerequisite for this pattern is that the target application must expose a programmatic, secure administrative API. We present a case study of the pattern's implementation at Adobe to integrate a popular OSS BI tool with Okta SAML, which enabled automated Role-Based Access Control RBAC via IAM group mapping and eliminated manual user provisioning. By defining its components, interactions, and production deployment considerations, this paper provides a reusable, secure, and cost-effective blueprint for integrating any standalone OSS tool into an enterprise SSO ecosystem, thereby enabling organizations to embrace open-source innovation without compromising on security governance.