Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [higgins-dev] Question about SAML2 IdP and STS IdP

The scenario seems to match...

Our scenario is like this:

1. There exist a group of applications that have the users in common. A third party manages this users from an LDAP that is mapped towards Higgins STS (Higgins users are visible from every app) and also manages authentication and authorization.
2. One application is the Higgins STS with a few tweaks. This application is a demo in order to allow people to play with Higgins and iCards.

Lets say that we want also to allow users to authenticate into all the applications using iCards. To allow this we need to change the authentication method to retrieve an AuthN SAML 1.1 token that the third party is able to understand and to map towards the right user.

Maybe the idea is to combine STS and SAML2 IdP. U know if is possible to issue SAML AuthN 1.1 tokens?

Thank you for the answers.

---
David Campos


On Wed, Jul 29, 2009 at 11:47, Markus Sabadello <markus.sabadello@xxxxxxxxx> wrote:
Hi David,

I think you would want to extend the STS to do what you have in mind.

The SAML2 IdP is used for the SAML SP-initiated SSO profile, i.e. a typical sequence is this:
1. A relying party ("SP" in SAML terminology) wants to authenticate a user. Therefore it redirects the browser to the SAML IdP with a SAML AuthnRequest.
2. The SAML IdP somehow authenticates the user. It then redirects the browser back to the SP with a SAML Assertion.
3. The relying party (SP) now knows who the user is.

At step 2, the Higgins SAML2 IdP can authenticate the user either against an IdAS Context, or by asking for a card, but this is all transparent to the SP.

The main use case we had in mind when developing the SAML2 IdP was to support sign-in to Google Apps, which can be configured to act as a SAML SP. See here: http://code.google.com/apis/apps/sso/saml_reference_implementation.html
We have a demo deployment that allows you to sign in to Google Apps with a card.

If this sounds close to what you have in mind, then maybe you can use the SAML2 IdP, otherwise I think you would want to try get the STS to issue the kind of tokens you want.

Markus

On Wed, Jul 29, 2009 at 9:10 AM, David Campos <noymn.the.archangel@xxxxxxxxx> wrote:
Hello all,

I have a question about the SAML2IdP that is available on the Higgins Web Page. I've successfully deployed the STS solution and I've been working long time with it but now I would be able to generate SAML Authentication assertions with some cards and SAML Attribute assertions with the other.

The first tokens would be used to perform a SSO between other apps in the same realm and the second tokens would be used for the usual claim disclosure.

My question comes here, is possible to extend the normal STS in order to create a new Endpoint that issues those tokens? I guess that the higgins framework is enough powerful and flexible to express that but I don't know if I need to deploy the SAML2IdP or I can simply extend the STS.

Also I would like to know if there is a restriction that would force me to use SAML2 auth tokens or whether SAML 1.1 tokens can be issued also.

Thanks for your answers.

Regards,
---
David Campos

_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev



_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev



Back to the top