[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [higgins-dev] SAML 2.0 support + additional questions on higgins

Hello Markus,

Thanks a million for answering my queries.

You mentioned that Idp does not retrieve attributes from datastores and does not includes them in assertion , but is it possible
to do so in higgins ? If possible how  ?

Also ,I believe the session management will be the responsibility of the solution which is  built using higgins, am i right ?

Last one,I  was browsing through other implementation of SSO which use saml 2.One of them is shibboleth and it
does not provide SAML 2 Global logout .

Is it possible in higgins ?

please share your inputs on my questions.

Many Thanks.

Best Regards,

On Wed, May 28, 2008 at 11:24 AM, Markus Sabadello <msabadello@xxxxxxxxxxxxx> wrote:
Hello lalit,

I have been working on the Higgins SAML 2.0 IdP component. As Brian said, the best place to look at is http://wiki.eclipse.org/SAML2_IdP.
Also, you can see a test relying party and the IdP deployed at https://graceland.parityinc.net/saml2idp-test/ (use saba/testpass to log in).

Regarding your requirements:

1) Yes the IdP speaks SAML 2.0, however not all features are currently implemented.
2) Yes the SP initiated SSO is exactly the scenario that is supported. The request is sent via the HTTP Redirect binding, and the response via the HTTP POST binding.
3) Our main efforts in Higgins have been on the IdP side, however there is also example relying party code. It does not automatically redirect to the IdP (you have to press a button), but that shouldn't be too hard to adapt to your needs..
4) The IdP currently does not retrieve attributes and include them in the assertion. It just asserts that the user "is logged in".
5) There are several ways in which the IdP can be configured to allow/deny certain requests. See the diagram at http://wiki.eclipse.org/SAML2_IdP_Overview#Security.
6) CD stands for "cross domain"? I am not sure what that means exactly. Could you clarify? If it means that the SP and IdP can be on different domains, well yes, why should that be a problem..
7) One of the core ideas of the Higgins architecture is to be able to support any protocol.. In fact we are going to have a discussion about this topic tomorrow. There is another component in Higgins with overlapping functionality (the STS), and the big idea is to unify them to turn Higgins into a true multi-protocol server. See http://wiki.eclipse.org/SAML2_and_STS_Convergence for some thoughts on this.
8) I am not sure what you mean with wrappers.. What should they do?

You may also be interested in the web config interface for the SAML 2.0 IdP: http://graceland.parityinc.net/saml2idp-server-config/


On Wed, May 28, 2008 at 11:48 AM, lalit ruchandani <higginsuser@xxxxxxxxxxxxxx> wrote:
Hello All,

I am looking for a framework for creating an SSO solution.
I found higgins very interesting.I am completely unware as to what all if offers and how.

I have following requirements .Can anyone please let me know if higgins suits the bill.

1) SAML 2.0 support ( please let me know what is available)
2)  SP-Initiated SSO
3) Access check mechanism at SP, so that automatic redirect to Idp takes place
    when the the user is not logged in .This redirect will inculde SAMLRequest (autthentication)
4) retriveing logged in attributes from LDAp/Database upon successful authentication and passing it to ACS in assertion.
5) Access Control is required at the application i.e. protected application.
6) Provision for CD SSO
7) Provision for extending higgins for various protocols like WAP,IVR ..etc

8) Provision of adding wrappers on top to Higgins existing SAML 2 endpoints.if the need arises.

ALL experts , any help  is greatly appreciated.

many thanks in advance

Best Regards,

higgins-dev mailing list

higgins-dev mailing list