|Putting together a multiple protocol RP application [message #6685]
||Tue, 01 April 2008 17:26
Originally posted by: jas.535consulting.com|
I'm looking into Higgins in the hope of implementing an "authentication
server". That is, the architecture calls for creating a simple API
between various local applications+user agent and the authentication
server. This API will remain fairly constant, and it is the
responsibility of the authentication server+user agent to work with
various protocols, IdPs etc.
I'm looking for a Java framework to allow me be build the authentication
server, and Higgins looks promising. However, InfoCard is not my initial
concern, though, so much as supporting protocols such as SAML, OpenID,
as well as a couple of custom protocols. There is also the need to make
use of our existing database of local user information.
As far as I can tell, I need to make use of "Relying Party Enablement",
as the authentication server is an RP. It looks like the aforementioned
protocols need to be implemented as sub-classes of
org.eclipse.higgins.rp.AuthProtocolHandler. The custom protocols I
expect to implement myself, but it appears there is no existing
component for either SAML or OpenID, just iCard (Higgins 1.0 anyway).
I see there is available both a Higgins based SAML 2 IdP, as well as a
test SAML 2 RP application, which itself does not make use of RP
enablement. I suppose the latter could be used as a basis for SAML 2 RP
functionality. Are there any near term prospects for more official RP
Enablement based implementations of SAML (most important to me), and
I still need to wade through the documentation regarding IdAS, contexts
etc. to see how to tie things together and uniformly access the user
identity information available via each protocol, but it looks promising.
I want a system whereby the user agent is redirect to the authentication
server by one or more local applications. The authentication server,
then, can determine the appropriate IdP, or ask the user if it can't
figure it out, and kick of that authentication protocol via the user
agent. After interacting with the IdP, the user agent is redirected back
to the authentication server, which needs to complete the protocol,
verify the IdP token/cookie/whatever, and make the user
identity/attributes available in a neutral manner for further
non-protocol/IdP specific processing by the authentication server. This
all sounds like something Higgins can help facilitate.
I'm still in the evaluation phase. Am I mis-reading anything regarding
Powered by FUDForum
. Page generated in 0.01384 seconds