The Auth Shim: A Lightweight Architectural Pattern for Integrating Enterprise SSO with Standalone Open-Source Applications

• URL: http://arxiv.org/abs/2509.03900v2
• Date: Fri, 12 Sep 2025 10:44:36 GMT
• Title: The Auth Shim: A Lightweight Architectural Pattern for Integrating Enterprise SSO with Standalone Open-Source Applications
• Authors: Yuvraj Agrawal,
• Abstract summary: Open-source software OSS is widely adopted in enterprise settings, but standalone tools often lack native support for protocols like IAM or OIDC.<n>This paper introduces and formalizes the Auth Shim, a lightweight architectural pattern designed to solve this problem.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Open-source software OSS is widely adopted in enterprise settings, but standalone tools often lack native support for protocols like SAML or OIDC, creating a critical security integration gap. This paper introduces and formalizes the Auth Shim, a lightweight architectural pattern designed to solve this problem. The Auth Shim is a minimal, external proxy service that acts as a compatibility layer, translating requests from an enterprise Identity Provider IdP into the native session management mechanism of a target application. A key prerequisite for this pattern is that the target application must expose a programmatic, secure administrative API. We present a case study of the pattern's implementation at Adobe to integrate a popular OSS BI tool with Okta SAML, which enabled automated Role-Based Access Control RBAC via IAM group mapping and eliminated manual user provisioning. By defining its components, interactions, and production deployment considerations, this paper provides a reusable, secure, and cost-effective blueprint for integrating any standalone OSS tool into an enterprise SSO ecosystem, thereby enabling organizations to embrace open-source innovation without compromising on security governance.

Related papers

• OpenSage: Self-programming Agent Generation Engine [56.399761469404496]
  We propose OpenSage, the first agent development kit (ADK) to automatically create agents with self-generated topology and toolsets.<n>OpenSage offers effective functionality for agents to create and manage their own sub-agents and toolkits.<n>We believe OpenSage can pave the way for the next generation of agent development, shifting the focus from human-centered to AI-centered paradigms.
  arXiv  Detail & Related papers  (2026-02-18T21:16:29Z)
• Towards Verifiably Safe Tool Use for LLM Agents [53.55621104327779]
  Large language model (LLM)-based AI agents extend capabilities by enabling access to tools such as data sources, APIs, search engines, code sandboxes, and even other agents.<n>LLMs may invoke unintended tool interactions and introduce risks, such as leaking sensitive data or overwriting critical records.<n>Current approaches to mitigate these risks, such as model-based safeguards, enhance agents' reliability but cannot guarantee system safety.
  arXiv  Detail & Related papers  (2026-01-12T21:31:38Z)
• Enterprise Identity Integration for AI-Assisted Developer Services: Architecture, Implementation, and Case Study [0.0]
  This article presents a practical architecture that incorporates OAuth 2.0 and OpenID Connect (OIDC) into MCP-enabled developer environments.<n>A prototype implementation using Visual Studio Code, a Python-based MCP server, and an OIDC-compliant IdP demonstrates feasibility.<n>The approach provides a deployable pattern for organizations adopting AI-assisted developer tools while maintaining identity assurance and auditability.
  arXiv  Detail & Related papers  (2026-01-06T04:17:52Z)
• Orchestral AI: A Framework for Agent Orchestration [45.946776875141666]
  Orchestral is a lightweight Python framework that provides a unified, type-safe interface for building LLM agents across major providers.<n>It operates seamlessly across providers, eliminating manual format translation and reducing framework-induced complexity.<n>It supports advanced agent capabilities found in larger frameworks, including rich tool calling, context compaction, sandboxing, user approval, sub-agents, memory management, and MCP integration.
  arXiv  Detail & Related papers  (2026-01-05T22:02:11Z)
• Zero Trust Security Model Implementation in Microservices Architectures Using Identity Federation [0.0]
  The article itself is a case on the need of the Zero Trust Security Model of micro services ecosystem.<n>It is proposed that the solution framework will be based on industry-standard authentication and authorization and end-to-end trust identity technologies.<n>The research results overlay that the federated identity combined with the Zero Trust basics not only guarantee the rules relating to authentication and authorization but also fully complies with the latest DevSecOps standards of microservice deployment.
  arXiv  Detail & Related papers  (2025-11-07T02:03:05Z)
• The OpenHands Software Agent SDK: A Composable and Extensible Foundation for Production Agents [46.254487394746725]
  We present the OpenHands Software Agent SDK, a toolkit for implementing software development agents.<n>To achieve flexibility, we design a simple interface for implementing agents that requires only a few lines of code in the default case.<n>For security and reliability, it delivers seamless local-to-remote execution portability, integrated REST/WebSocket services.
  arXiv  Detail & Related papers  (2025-11-05T18:16:44Z)
• Bridging the Mobile Trust Gap: A Zero Trust Framework for Consumer-Facing Applications [51.56484100374058]
  This paper proposes an extended Zero Trust model designed for mobile applications operating in untrusted, user-controlled environments.<n>Using a design science methodology, the study introduced a six-pillar framework that supports runtime enforcement of trust.<n>The proposed model offers a practical and standards-aligned approach to securing mobile applications beyond pre-deployment controls.
  arXiv  Detail & Related papers  (2025-08-20T18:42:36Z)
• Hard-Earned Lessons in Access Control at Scale: Enforcing Identity and Policy Across Trust Boundaries with Reverse Proxies and mTLS [0.5371337604556311]
  In today's enterprise environment, traditional access methods such as Virtual Private Networks (VPNs) and application-specific Single Sign-On (SSO) often fall short when it comes to securely scaling access for a distributed and dynamic workforce.<n>This paper presents our experience implementing a modern, Zero Trust-aligned architecture that leverages a reverse proxy integrated with Mutual TLS (mTLS) and centralized SSO.<n>This multidimensional solution involves both per-device and per-user authentication, centralized enforcement of security policies, and comprehensive observability.
  arXiv  Detail & Related papers  (2025-08-03T17:32:11Z)
• ETDI: Mitigating Tool Squatting and Rug Pull Attacks in Model Context Protocol (MCP) by using OAuth-Enhanced Tool Definitions and Policy-Based Access Control [0.0]
  The Model Context Protocol (MCP) plays a crucial role in extending the capabilities of Large Language Models (LLMs)<n>The standard MCP specification presents significant security vulnerabilities, notably Tool Poisoning and Rug Pull attacks.<n>This paper introduces the Enhanced Tool Definition Interface (ETDI), a security extension designed to fortify MCP.
  arXiv  Detail & Related papers  (2025-06-02T05:22:38Z)
• Zero-Trust Foundation Models: A New Paradigm for Secure and Collaborative Artificial Intelligence for Internet of Things [61.43014629640404]
  Zero-Trust Foundation Models (ZTFMs) embed zero-trust security principles into the lifecycle of foundation models (FMs) for Internet of Things (IoT) systems.<n>ZTFMs can enable secure, privacy-preserving AI across distributed, heterogeneous, and potentially adversarial IoT environments.
  arXiv  Detail & Related papers  (2025-05-26T06:44:31Z)
• Simplified and Secure MCP Gateways for Enterprise AI Integration [0.0]
  This paper introduces the MCP Gateway to simplify self-hosted MCP server integration.<n>The proposed architecture integrates security principles, authentication, intrusion detection, and secure tunneling.
  arXiv  Detail & Related papers  (2025-04-28T17:17:42Z)
• Securing GenAI Multi-Agent Systems Against Tool Squatting: A Zero Trust Registry-Based Approach [0.0]
  This paper analyzes tool squatting threats within the context of emerging interoperability standards.<n>It introduces a comprehensive Tool Registry system designed to mitigate these risks.<n>Based on its design principles, the proposed registry framework aims to effectively prevent common tool squatting vectors.
  arXiv  Detail & Related papers  (2025-04-28T16:22:21Z)
• Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
  We investigate the security implications of and software-based Open Radio Access Network (RAN) systems. We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
  arXiv  Detail & Related papers  (2024-05-03T07:18:45Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• A Universal System for OpenID Connect Sign-ins with Verifiable Credentials and Cross-Device Flow [4.006745047019997]
  Self-Sovereign Identity (SSI) is a new and promising identity management paradigm. We propose a comparatively simple system that enables SSI-based sign-ins for services that support the widespread OpenID Connect or OAuth 2.0 protocols.
  arXiv  Detail & Related papers  (2024-01-16T16:44:30Z)
• Analyzing Maintenance Activities of Software Libraries [55.2480439325792]
  Industrial applications heavily integrate open-source software libraries nowadays.<n>I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
  arXiv  Detail & Related papers  (2023-06-09T16:51:25Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.