The Auth Shim: A Lightweight Architectural Pattern for Integrating Enterprise SSO with Standalone Open-Source Applications

๐Ÿ“… 2025-09-04
๐Ÿ“ˆ Citations: 0
โœจ Influential: 0
๐Ÿ“„ PDF

career value

207K/year
๐Ÿค– AI Summary
Enterprise open-source software (OSS) frequently lacks native support for standard authentication protocols such as SAML and OIDC, hindering seamless single sign-on (SSO) integration and creating security governance gaps. To address this, we propose and formally define the โ€œAuth Shimโ€ architectural patternโ€”a lightweight, external proxy service that transparently bridges enterprise identity providers (e.g., Okta) with standalone OSS without modifying application source code. The Auth Shim programmatically translates authentication protocols via management APIs and automatically maps Identity and Access Management (IAM) groups to fine-grained Role-Based Access Control (RBAC) policies. Evaluated in a production Adobe environment, the pattern successfully integrated an open-source business intelligence tool with corporate SSO, enabling fully automated user provisioning and permission management. This eliminated manual configuration, strengthened compliance with security policies, and significantly improved operational efficiency.

Technology Category

Application Category

๐Ÿ“ Abstract
Open-source software OSS is widely adopted in enterprise settings, but standalone tools often lack native support for protocols like SAML or OIDC, creating a critical security integration gap. This paper introduces and formalizes the Auth Shim, a lightweight architectural pattern designed to solve this problem. The Auth Shim is a minimal, external proxy service that acts as a compatibility layer, translating requests from an enterprise Identity Provider IdP into the native session management mechanism of a target application. A key prerequisite for this pattern is that the target application must expose a programmatic, secure administrative API. We present a case study of the pattern's implementation at Adobe to integrate a popular OSS BI tool with Okta SAML, which enabled automated Role-Based Access Control RBAC via IAM group mapping and eliminated manual user provisioning. By defining its components, interactions, and production deployment considerations, this paper provides a reusable, secure, and cost-effective blueprint for integrating any standalone OSS tool into an enterprise SSO ecosystem, thereby enabling organizations to embrace open-source innovation without compromising on security governance.
Problem

Research questions and friction points this paper is trying to address.

Integrating enterprise SSO with standalone open-source applications lacking native protocol support
Providing a lightweight architectural pattern to bridge security integration gaps
Enabling secure authentication without modifying original application code
Innovation

Methods, ideas, or system contributions that make the work stand out.

Lightweight proxy for SSO integration
Translates IdP requests to app sessions
Enables automated RBAC via group mapping
๐Ÿ”Ž Similar Papers
No similar papers found.