[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [higgins-dev] SAML 2.0 support + additional questions on higgins
- From: "Markus Sabadello" <msabadello@xxxxxxxxxxxxx>
- Date: Wed, 28 May 2008 12:24:16 +0200
- Delivered-to: firstname.lastname@example.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; bh=6oiRdD2wtE6bYOap1YLVOULIviro6jw8WmjWdCHOmSg=; b=F7Fqyos7sDHLIrJG61LHRuglLBGeQNtmnxIX3sxe9JEcn1vVU8lx63f5n/FErVlUge+xPbf52bK9VpGIN6VkXe6ew9s7cKJ8LaHQM4dglY8G+lhShkhlh0UGhz/897dWztlFAYhAkksEwjGWgyVwQgTE6IBSqRB6CwdRz4K+BqE=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=PlYhAvkF1y9sbvkM/SfuvOCL8k77fpdOnRmZomdgsaoaiQPBvRiPoaDXIJ8CR9npMuLhVGPoAnYidm1iuchSuyGGFggw+lMmHeS9ZfBLGbEKINvWnyxW/2LNKoIMxYxuOv+ktFif5V9B0l6MTG27wzPKmZzJZmopUE+sedzjr64=
I have been working on the Higgins SAML 2.0 IdP component. As Brian said, the best place to look at is http://wiki.eclipse.org/SAML2_IdP.
Also, you can see a test relying party and the IdP deployed at https://graceland.parityinc.net/saml2idp-test/ (use saba/testpass to log in).
Regarding your requirements:
1) Yes the IdP speaks SAML 2.0, however not all features are currently implemented.
2) Yes the SP initiated SSO is exactly the scenario that is supported. The request is sent via the HTTP Redirect binding, and the response via the HTTP POST binding.
3) Our main efforts in Higgins have been on the IdP side, however there is also example relying party code. It does not automatically redirect to the IdP (you have to press a button), but that shouldn't be too hard to adapt to your needs..
4) The IdP currently does not retrieve attributes and include them in the assertion. It just asserts that the user "is logged in".
5) There are several ways in which the IdP can be configured to allow/deny certain requests. See the diagram at http://wiki.eclipse.org/SAML2_IdP_Overview#Security.
6) CD stands for "cross domain"? I am not sure what that means exactly. Could you clarify? If it means that the SP and IdP can be on different domains, well yes, why should that be a problem..
7) One of the core ideas of the Higgins architecture is to be able to support any protocol.. In fact we are going to have a discussion about this topic tomorrow. There is another component in Higgins with overlapping functionality (the STS), and the big idea is to unify them to turn Higgins into a true multi-protocol server. See http://wiki.eclipse.org/SAML2_and_STS_Convergence for some thoughts on this.
8) I am not sure what you mean with wrappers.. What should they do?
You may also be interested in the web config interface for the SAML 2.0 IdP: http://graceland.parityinc.net/saml2idp-server-config/
On Wed, May 28, 2008 at 11:48 AM, lalit ruchandani <higginsuser@xxxxxxxxxxxxxx
I am looking for a framework for creating an SSO solution.
I found higgins very interesting.I am completely unware as to what all if offers and how.
I have following requirements .Can anyone please let me know if higgins suits the bill.
1) SAML 2.0 support ( please let me know what is available)
2) SP-Initiated SSO
3) Access check mechanism at SP, so that automatic redirect to Idp takes place
when the the user is not logged in .This redirect will inculde SAMLRequest (autthentication)
4) retriveing logged in attributes from LDAp/Database upon successful authentication and passing it to ACS in assertion.
5) Access Control is required at the application i.e. protected application.
6) Provision for CD SSO
7) Provision for extending higgins for various protocols like WAP,IVR ..etc
8) Provision of adding wrappers on top to Higgins existing SAML 2 endpoints.if the need arises.
ALL experts , any help is greatly appreciated.
many thanks in advance
higgins-dev mailing list