Re: [higgins-dev] SAML 2.0 support + additional questions on higgins

[Prateek Mishra <prateek.mishra@xxxxxxxxxx>]

Lalit,

many of your questions have more to do with the SAML 2.0 protocols - I 
think you can get some answers (and also a lot of interest in your 
project) from the saml-dev mailing list.

You can subscribe to the mailing list at:

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security#feedback


- prateek
> Hello Markus,
>
> Thanks a million for answering my queries.
>
> You mentioned that Idp does not retrieve attributes from datastores 
> and does not includes them in assertion , but is it possible
> to do so in higgins ? If possible how  ?
>
> Also ,I believe the session management will be the responsibility of 
> the solution which is  built using higgins, am i right ?
>
> Last one,I  was browsing through other implementation of SSO which use 
> saml 2.One of them is shibboleth and it
> does not provide SAML 2 Global logout .
>
> Is it possible in higgins ?
>
> please share your inputs on my questions.
>
> Many Thanks.
>
>
> Best Regards,
> Lalit
>
> On Wed, May 28, 2008 at 11:24 AM, Markus Sabadello 
> <msabadello@xxxxxxxxxxxxx <mailto:msabadello@xxxxxxxxxxxxx>> wrote:
>
>     Hello lalit,
>
>     I have been working on the Higgins SAML 2.0 IdP component. As
>     Brian said, the best place to look at is
>     http://wiki.eclipse.org/SAML2_IdP.
>     Also, you can see a test relying party and the IdP deployed at
>     https://graceland.parityinc.net/saml2idp-test/ (use saba/testpass
>     to log in).
>
>     Regarding your requirements:
>
>     1) Yes the IdP speaks SAML 2.0, however not all features are
>     currently implemented.
>     2) Yes the SP initiated SSO is exactly the scenario that is
>     supported. The request is sent via the HTTP Redirect binding, and
>     the response via the HTTP POST binding.
>     3) Our main efforts in Higgins have been on the IdP side, however
>     there is also example relying party code. It does not
>     automatically redirect to the IdP (you have to press a button),
>     but that shouldn't be too hard to adapt to your needs..
>     4) The IdP currently does not retrieve attributes and include them
>     in the assertion. It just asserts that the user "is logged in".
>     5) There are several ways in which the IdP can be configured to
>     allow/deny certain requests. See the diagram at
>     http://wiki.eclipse.org/SAML2_IdP_Overview#Security.
>     6) CD stands for "cross domain"? I am not sure what that means
>     exactly. Could you clarify? If it means that the SP and IdP can be
>     on different domains, well yes, why should that be a problem..
>     7) One of the core ideas of the Higgins architecture is to be able
>     to support any protocol.. In fact we are going to have a
>     discussion about this topic tomorrow. There is another component
>     in Higgins with overlapping functionality (the STS), and the big
>     idea is to unify them to turn Higgins into a true multi-protocol
>     server. See http://wiki.eclipse.org/SAML2_and_STS_Convergence for
>     some thoughts on this.
>     8) I am not sure what you mean with wrappers.. What should they do?
>
>     You may also be interested in the web config interface for the
>     SAML 2.0 IdP: http://graceland.parityinc.net/saml2idp-server-config/
>
>     Markus
>
>     On Wed, May 28, 2008 at 11:48 AM, lalit ruchandani
>     <higginsuser@xxxxxxxxxxxxxx <mailto:higginsuser@xxxxxxxxxxxxxx>>
>     wrote:
>
>         Hello All,
>
>         I am looking for a framework for creating an SSO solution.
>         I found higgins very interesting.I am completely unware as to
>         what all if offers and how.
>
>         I have following requirements .Can anyone please let me know
>         if higgins suits the bill.
>
>         1) SAML 2.0 support ( please let me know what is available)
>         2)  SP-Initiated SSO
>         3) Access check mechanism at SP, so that automatic redirect to
>         Idp takes place
>             when the the user is not logged in .This redirect will
>         inculde SAMLRequest (autthentication)
>         4) retriveing logged in attributes from LDAp/Database upon
>         successful authentication and passing it to ACS in assertion.
>         5) Access Control is required at the application i.e.
>         protected application.
>         6) Provision for CD SSO
>         7) Provision for extending higgins for various protocols like
>         WAP,IVR ..etc
>
>         8) Provision of adding wrappers on top to Higgins existing
>         SAML 2 endpoints.if the need arises.
>
>
>         ALL experts , any help  is greatly appreciated.
>
>         many thanks in advance
>
>         Best Regards,
>         Lalit
>
>         _______________________________________________
>         higgins-dev mailing list
>         higgins-dev@xxxxxxxxxxx <mailto:higgins-dev@xxxxxxxxxxx>
>         https://dev.eclipse.org/mailman/listinfo/higgins-dev
>
>
>
>     _______________________________________________
>     higgins-dev mailing list
>     higgins-dev@xxxxxxxxxxx <mailto:higgins-dev@xxxxxxxxxxx>
>     https://dev.eclipse.org/mailman/listinfo/higgins-dev
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev
>