Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] WS-Federation support for jetty

Seems pretty straight forward, though you might end up making a
LoginService as well.  Actually this is not unlike the Spnego setup I
added quite a while ago...take a look at those classes in the
jetty-security module.

good luck and keep me posted :)

jesse

--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx


On Wed, Nov 21, 2012 at 10:29 AM, Oliver Wulff <owulff@xxxxxxxxxx> wrote:
> Hi there
>
> I've started looking into adding support for WS-Federation Passive Requestor
> Profile in Jetty by adding a new module for the Apache CXF Fediz project.
> The approach of this SSO concept is that unauthenticated requests are
> redirected to a central IDP component (as provided by Fediz) which does the
> authentication. Finally, a SAML token is issued and posted to Jetty via the
> browser. The token is validated and a session is created.
>
> My idea is to write a custom authenticator (extend LoginAuthenticator) which
> does the redirect and validates the SAML token (similar to FormAuthenticator
> with the exception to redirect instead of forward). The Fediz project
> provides most of the WS-Federation related processing in a container
> independent module. I only have to adapt that module to Jetty.
>
> Finally, the SAML token has a restriction on its validity which might be
> smaller than the http session duration. As the Authenticator should only be
> called once during the initial authentication I thought to write a custom
> handler which checks the validity of the cached token and triggers a
> redirect to the IDP in case the token is invalid.
>
> Does that make sense to integrate it as described above?
>
> Thanks
> Oli
>
>
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>


Back to the top