[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [higgins-dev] SAML 2.0 support + additional questions on higgins
|
Lalit,
many of your questions have more to do with the SAML 2.0 protocols - I
think you can get some answers (and also a lot of interest in your
project) from the saml-dev mailing list.
You can subscribe to the mailing list at:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security#feedback
- prateek
Hello Markus,
Thanks a million for answering my queries.
You mentioned that Idp does not retrieve attributes from datastores
and does not includes them in assertion , but is it possible
to do so in higgins ? If possible how ?
Also ,I believe the session management will be the responsibility of
the solution which is built using higgins, am i right ?
Last one,I was browsing through other implementation of SSO which use
saml 2.One of them is shibboleth and it
does not provide SAML 2 Global logout .
Is it possible in higgins ?
please share your inputs on my questions.
Many Thanks.
Best Regards,
Lalit
On Wed, May 28, 2008 at 11:24 AM, Markus Sabadello
<msabadello@xxxxxxxxxxxxx <mailto:msabadello@xxxxxxxxxxxxx>> wrote:
Hello lalit,
I have been working on the Higgins SAML 2.0 IdP component. As
Brian said, the best place to look at is
http://wiki.eclipse.org/SAML2_IdP.
Also, you can see a test relying party and the IdP deployed at
https://graceland.parityinc.net/saml2idp-test/ (use saba/testpass
to log in).
Regarding your requirements:
1) Yes the IdP speaks SAML 2.0, however not all features are
currently implemented.
2) Yes the SP initiated SSO is exactly the scenario that is
supported. The request is sent via the HTTP Redirect binding, and
the response via the HTTP POST binding.
3) Our main efforts in Higgins have been on the IdP side, however
there is also example relying party code. It does not
automatically redirect to the IdP (you have to press a button),
but that shouldn't be too hard to adapt to your needs..
4) The IdP currently does not retrieve attributes and include them
in the assertion. It just asserts that the user "is logged in".
5) There are several ways in which the IdP can be configured to
allow/deny certain requests. See the diagram at
http://wiki.eclipse.org/SAML2_IdP_Overview#Security.
6) CD stands for "cross domain"? I am not sure what that means
exactly. Could you clarify? If it means that the SP and IdP can be
on different domains, well yes, why should that be a problem..
7) One of the core ideas of the Higgins architecture is to be able
to support any protocol.. In fact we are going to have a
discussion about this topic tomorrow. There is another component
in Higgins with overlapping functionality (the STS), and the big
idea is to unify them to turn Higgins into a true multi-protocol
server. See http://wiki.eclipse.org/SAML2_and_STS_Convergence for
some thoughts on this.
8) I am not sure what you mean with wrappers.. What should they do?
You may also be interested in the web config interface for the
SAML 2.0 IdP: http://graceland.parityinc.net/saml2idp-server-config/
Markus
On Wed, May 28, 2008 at 11:48 AM, lalit ruchandani
<higginsuser@xxxxxxxxxxxxxx <mailto:higginsuser@xxxxxxxxxxxxxx>>
wrote:
Hello All,
I am looking for a framework for creating an SSO solution.
I found higgins very interesting.I am completely unware as to
what all if offers and how.
I have following requirements .Can anyone please let me know
if higgins suits the bill.
1) SAML 2.0 support ( please let me know what is available)
2) SP-Initiated SSO
3) Access check mechanism at SP, so that automatic redirect to
Idp takes place
when the the user is not logged in .This redirect will
inculde SAMLRequest (autthentication)
4) retriveing logged in attributes from LDAp/Database upon
successful authentication and passing it to ACS in assertion.
5) Access Control is required at the application i.e.
protected application.
6) Provision for CD SSO
7) Provision for extending higgins for various protocols like
WAP,IVR ..etc
8) Provision of adding wrappers on top to Higgins existing
SAML 2 endpoints.if the need arises.
ALL experts , any help is greatly appreciated.
many thanks in advance
Best Regards,
Lalit
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx <mailto:higgins-dev@xxxxxxxxxxx>
https://dev.eclipse.org/mailman/listinfo/higgins-dev
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx <mailto:higgins-dev@xxxxxxxxxxx>
https://dev.eclipse.org/mailman/listinfo/higgins-dev
------------------------------------------------------------------------
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev