We are developing a RESTful service in Node.js which will be called using AJAX from a page in WebSphere Portal. This Node.js service will fetch some data from the backend system for the user who has logged in to WebSphere Portal (authenticating out of MS Active Directory).
My question is how to securely pass the user identity from Portal to the Node.js service? Just passing the user identity with HTTP request is obviously vulnerable. So what is the recommended way to authenticate the request coming from Portal in Node.js?
Between 2 WebSphere applications, LTPA based Single Sign On is possible. Is there a similar mechanism which can be used between WebSphere & Node.js?
WebSphere AppServer 7.0 (later fix packs) and higher, upon which Portal runs, ships with SAML 2.0 capabilities. It can be used to have the browser post a digitally signed SAML XML document to a URL in the node app. The node app would need to establish a trust relationship with the portal app by public key validation of the digital signature on the SAML XML document. There's also an npm package that purports to be able to validate SAML documents from an identity provider.
It will involve additional http requests than just your application Ajax URL but is a secure, standards-based way of trusting the browser as having been sent from your trusted portal without having the two servers talk directly. Your portal is the IdP (identity provider) actor and the node app the SP (service provider) in SAML semantics.