See inline for answers.
On Wed, May 28, 2008 at 1:24 PM, lalit ruchandani <
higginsuser@xxxxxxxxxxxxxx> wrote:
Hello Markus,
Thanks a million for answering my queries.
You mentioned that Idp does not retrieve attributes from datastores and does not includes them in assertion , but is it possible
to do so in higgins ? If possible how ?
Of course this is possible in Higgins.. The SAML2 IdP uses the Higgins "IdAS" component (see
http://wiki.eclipse.org/IdAS) for talking to the LDAP directory and other datastores. The very purpose of IdAS ("Identity Attribute Service") is to authenticate users AND retrieve attributes!
We just haven't implemented the piece of code that would take these attributes from IdAS and put them into the SAML 2.0 assertion, but this should be no big deal. This is something that might happen soon in the course of the ongoing discussion on the convergence of the SAML2 IdP and STS components I mentioned in my previous mail.
Also ,I believe the session management will be the responsibility of the solution which is built using higgins, am i right ?
The IdP maintains its own session.. I.e. if an SP is asking for an assertion and the user is already logged in at the IdP, then the assertion will be issued without the user having to input username/password.
But yes, session management at the SP is something you want to do yourself.
Last one,I was browsing through other implementation of SSO which use saml 2.One of them is shibboleth and it
does not provide SAML 2 Global logout .
Is it possible in higgins ?
Hmm I am not really an expert on SAML, so I'm not sure what global logout means exactly.
The user can of course be logged out at the IdP (try this:
http://graceland.parityinc.net/saml2idp-server/Logout). So if the user logs out at the SP, then the SP could issue a redirect to the IdP logout URL.
Not sure if this is what you are looking for.
Markus
please share your inputs on my questions.
Many Thanks.
Best Regards,
LalitOn Wed, May 28, 2008 at 11:24 AM, Markus Sabadello <
msabadello@xxxxxxxxxxxxx> wrote:
Hello lalit,
I have been working on the Higgins SAML 2.0 IdP component. As Brian said, the best place to look at is http://wiki.eclipse.org/SAML2_IdP.
Also, you can see a test relying party and the IdP deployed at https://graceland.parityinc.net/saml2idp-test/ (use saba/testpass to log in).
Regarding your requirements:
1) Yes the IdP speaks SAML 2.0, however not all features are currently implemented.
2) Yes the SP initiated SSO is exactly the scenario that is supported. The request is sent via the HTTP Redirect binding, and the response via the HTTP POST binding.
3) Our main efforts in Higgins have been on the IdP side, however there is also example relying party code. It does not automatically redirect to the IdP (you have to press a button), but that shouldn't be too hard to adapt to your needs..
4) The IdP currently does not retrieve attributes and include them in the assertion. It just asserts that the user "is logged in".
5) There are several ways in which the IdP can be configured to allow/deny certain requests. See the diagram at http://wiki.eclipse.org/SAML2_IdP_Overview#Security.
6) CD stands for "cross domain"? I am not sure what that means exactly. Could you clarify? If it means that the SP and IdP can be on different domains, well yes, why should that be a problem..
7) One of the core ideas of the Higgins architecture is to be able to support any protocol.. In fact we are going to have a discussion about this topic tomorrow. There is another component in Higgins with overlapping functionality (the STS), and the big idea is to unify them to turn Higgins into a true multi-protocol server. See http://wiki.eclipse.org/SAML2_and_STS_Convergence for some thoughts on this.
8) I am not sure what you mean with wrappers.. What should they do?
You may also be interested in the web config interface for the SAML 2.0 IdP: http://graceland.parityinc.net/saml2idp-server-config/
Markus
Hello All,
I am looking for a framework for creating an SSO solution.
I found higgins very interesting.I am completely unware as to what all if offers and how.
I have following requirements .Can anyone please let me know if higgins suits the bill.
1) SAML 2.0 support ( please let me know what is available)
2) SP-Initiated SSO
3) Access check mechanism at SP, so that automatic redirect to Idp takes place
when the the user is not logged in .This redirect will inculde SAMLRequest (autthentication)
4) retriveing logged in attributes from LDAp/Database upon successful authentication and passing it to ACS in assertion.
5) Access Control is required at the application i.e. protected application.
6) Provision for CD SSO
7) Provision for extending higgins for various protocols like WAP,IVR ..etc
8) Provision of adding wrappers on top to Higgins existing SAML 2 endpoints.if the need arises.
ALL experts , any help is greatly appreciated.
many thanks in advance
Best Regards,
Lalit
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
