Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] WS-Federation support for jetty

Hi there

I've started looking into adding support for WS-Federation Passive Requestor Profile in Jetty by adding a new module for the Apache CXF Fediz project. The approach of this SSO concept is that unauthenticated requests are redirected to a central IDP component (as provided by Fediz) which does the authentication. Finally, a SAML token is issued and posted to Jetty via the browser. The token is validated and a session is created.

My idea is to write a custom authenticator (extend LoginAuthenticator) which does the redirect and validates the SAML token (similar to FormAuthenticator with the exception to redirect instead of forward). The Fediz project provides most of the WS-Federation related processing in a container independent module. I only have to adapt that module to Jetty.

Finally, the SAML token has a restriction on its validity which might be smaller than the http session duration. As the Authenticator should only be called once during the initial authentication I thought to write a custom handler which checks the validity of the cached token and triggers a redirect to the IDP in case the token is invalid.

Does that make sense to integrate it as described above?

Thanks
Oli


Back to the top