| Re: [higgins-dev] Can we rename saml2idp.saml2? |
|
Mike,
It would be nice if the utility class (whatever it ends up being) also had methods for validating the token:
isSignatureValid
isIssuerValid (does it match the cert)
isDateRangeValid
isX509CertValid( boolean validateEntireCertChain)
etc.
We will probably have policies that tell us how much validation we want to do on a token we receive.
Daniel
>>> "Tom Doman" <tdoman@xxxxxxxxxx> 6/6/2008 1:35 PM >>> The short answer is, the SAML2 assertion came from somewhere the application felt good about. :) In this case, it just came from a SAML2 capable IdP. Yeah, we need something that knows it's SAML2 so we can pick out the subject information at least. Thus, the materials the way we've defined it so far. I should also note that we need to preserve the original assertion as is to pass on and that's why we have that accessor in the AuthNSAML2 materials but if the serialization of the assertion from Markus utility code preserved the original form as far as signature verification would be concerned, then, we wouldn't need that accessor or even the additional materials class as Jim mentioned. Tom >>> Michael McIntosh <mikemci@xxxxxxxxxx> 06/06/08 12:06 PM >>> higgins- dev- bounces@xxxxxxxxxxx wrote on 06/06/2008 10:37:45 AM: > [image removed] > > Re: [higgins- dev] Can we rename saml2idp.saml2? > > Jim Sermersheim > > to: > > <Higgins dev > > 06/06/2008 10:38 AM > > Sent by: > > higgins- dev- bounces@xxxxxxxxxxx > > Please respond to "Higgins \(Trust Framework\) Project developer discussions" > > What we wanted to be able to do is authenticate to IdAS using a > SAML2 assertion. The application consuming IdAS will receive a So you want something you can pass to IContext::open as a credential. Where do you get this SAML 2 Assertion from? > serialized SAML2 assertion and open an IContext with it. Right now, > we're using org.eclipse.higgins.saml2idp.saml2.SAMLAssertion. > Actually, we have a thin wrapper over > org.eclipse.higgins.saml2idp.saml2.SAMLAssertion. You can see it at > org.eclipse.higgins.idas.common.AuthNSAML2AssertionMaterials. We > wanted to make sure we (the CP) could get the serialized form of the > SAML2 assertion back in the exact form that it came in. We hope > SAMLAssertion.toString() will produce the correct form, but we > weren't sure, so we built that little wrapper so we could preserve it. Hmmm, trying to figure out how much functionality you need from this. Do you just need something like: AuthNXMLTokenMaterials? Or do you need something that allows you to pull various element values out of the SAML 2 Assertion?. > > Jim > > >>> Michael McIntosh <mikemci@xxxxxxxxxx> 06/06/08 7:24 AM >>> > Jim, > > There is a lot of code in all the deployments that should be shared - that > was the theme of a presentation I did at the last Provo F2F. > What functionality do you need? > > Regards, > Mike > > higgins- dev- bounces@xxxxxxxxxxx wrote on 06/06/2008 04:49:56 AM: > > > [image removed] > > > > Re: [higgins- dev] Can we rename saml2idp.saml2? > > > > Jim Sermersheim > > > > to: > > > > Higgins (Trust Framework) Project developer discussions > > > > 06/06/2008 04:51 AM > > > > Sent by: > > > > higgins- dev- bounces@xxxxxxxxxxx > > > > Please respond to "Higgins \(Trust Framework\) Project developer > discussions" > > > > For what we need, it would be nice if we ended up with a set of > > SAML2 utilities that were (architecturally) consumable by any other > > component. Mike, Is there code in the STS libraries that should > > instead be exposed for a more general purpose? > > > > Jim > > > > >>> "Markus Sabadello" <msabadello@xxxxxxxxxxxxx> 06/06/08 12:40 AM >>> > > Sure, but as I understand the idea is to replace the functionality > > of that library with STS components. > > > > In fact, after a recent call with Mike I have started to work on my > > IdP to use the STS instead of that library. > > > > But yes, go ahead and rename it (or should I do that?) > > > > Markus > > > On Fri, Jun 6, 2008 at 12:10 AM, Jim Sermersheim <jimse@xxxxxxxxxx> > wrote: > > Markus, > > > > Can we rename org.eclipse.higgins.saml2idp.saml2 to something like > > org.eclipse.higgins.util.saml2? > > > > We'd like to consume it in non- idp code and it seems to be purely a > > utility- type library. > > > > Jim > > > > _______________________________________________ > > higgins- dev mailing list > > higgins- dev@xxxxxxxxxxx > > https://dev.eclipse.org/mailman/listinfo/higgins- dev > > > _______________________________________________ > > higgins- dev mailing list > > higgins- dev@xxxxxxxxxxx > > https://dev.eclipse.org/mailman/listinfo/higgins- dev > > _______________________________________________ > higgins- dev mailing list > higgins- dev@xxxxxxxxxxx > https://dev.eclipse.org/mailman/listinfo/higgins- dev > _______________________________________________ > higgins- dev mailing list > higgins- dev@xxxxxxxxxxx > https://dev.eclipse.org/mailman/listinfo/higgins- dev _______________________________________________ higgins- dev mailing list higgins- dev@xxxxxxxxxxx https://dev.eclipse.org/mailman/listinfo/higgins- dev _______________________________________________ higgins-dev mailing list higgins-dev@xxxxxxxxxxx https://dev.eclipse.org/mailman/listinfo/higgins-dev |