[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
| Re: [higgins-dev] Question about SAML2 IdP and STS IdP | 
Hi David,
You say "we want also to allow users to authenticate into all the applications using iCards".
I guess from a high level perspective you have two options to do that.
Option 1:
You turn all your applications into i-card relying parties, i.e. accept the i-cards that you are already issuing directly at those applications. With a suitable relying party policy (<object> tag) you can even make it so that only your own i-cards can be used.
>From a user's perspective, this means that the i-card selector will pop up directly at the application that they are trying to sign in.
For this option you don't need the SAML2 IdP, you just need the STS and issue i-cards (which you are already doing).
Option 2:
You turn all your applications into SAML SPs, i.e. accept SAML tokens via the SAML HTTP Redirect binding. For this you need to set up the SAML2 IdP, which will take and process requests via the SAML HTTP Redirect binding.
>From a user's perspective, this means that they get redirected to the SAML2 IdP, and then they authenticate there.
As I said, this authentication step can work with the Higgins IdAS component (i.e. users would enter their LDAP credentials directly in a web form at the SAML2 IdP page), or it can work with a card (i.e. the i-card selector would pop up at the SAML2 IdP page).
So to be clear, you can turn your applications into SPs under the SAML HTTP Redirect binding, or you can turn them into i-card relying parties.
Sorry to ask again (maybe I didn't fully understand you), which of the 2 options do you have in mind (or something completely different)?
Markus
On Wed, Jul 29, 2009 at 1:11 PM, David Campos 
<noymn.the.archangel@xxxxxxxxx> wrote:
The scenario seems to match... 
Our scenario is like this:
1. There exist a group of applications that have the users in common. A third party manages this users from an LDAP that is mapped towards Higgins STS (Higgins users are visible from every app) and also manages authentication and authorization.
2. One application is the Higgins STS with a few tweaks. This application is a demo in order to allow people to play with Higgins and iCards.
Lets say that we want also to allow users to authenticate into all the applications using iCards. To allow this we need to change the authentication method to retrieve an AuthN SAML 1.1 token that the third party is able to understand and to map towards the right user.
Maybe the idea is to combine STS and SAML2 IdP. U know if is possible to issue SAML AuthN 1.1 tokens?
Thank you for the answers.
---
David Campos
On Wed, Jul 29, 2009 at 11:47, Markus Sabadello 
<markus.sabadello@xxxxxxxxx> wrote:
Hi David,
I think you would want to extend the STS to do what you have in mind.
The SAML2 IdP is used for the SAML SP-initiated SSO profile, i.e. a typical sequence is this:
1. A relying party ("SP" in SAML terminology) wants to authenticate a user. Therefore it redirects the browser to the SAML IdP with a SAML AuthnRequest.
2. The SAML IdP somehow authenticates the user. It then redirects the browser back to the SP with a SAML Assertion.
3. The relying party (SP) now knows who the user is.
At step 2, the Higgins SAML2 IdP can authenticate the user either against an IdAS Context, or by asking for a card, but this is all transparent to the SP.
The main use case we had in mind when developing the SAML2 IdP was to support sign-in to Google Apps, which can be configured to act as a SAML SP. See here: http://code.google.com/apis/apps/sso/saml_reference_implementation.html
We have a demo deployment that allows you to sign in to Google Apps with a card.
If this sounds close to what you have in mind, then maybe you can use the SAML2 IdP, otherwise I think you would want to try get the STS to issue the kind of tokens you want.
Markus
Hello all,
I have a question about the SAML2IdP that is available on the Higgins Web Page. I've successfully deployed the STS solution and I've been working long time with it but now I would be able to generate SAML Authentication assertions with some cards and SAML Attribute assertions with the other. 
The first tokens would be used to perform a SSO between other apps in the same realm and the second tokens would be used for the usual claim disclosure.
My question comes here, is possible to extend the normal STS in order to create a new Endpoint that issues those tokens? I guess that the higgins framework is enough powerful and flexible to express that but I don't know if I need to deploy the SAML2IdP or I can simply extend the STS.
Also I would like to know if there is a restriction that would force me to use SAML2 auth tokens or whether SAML 1.1 tokens can be issued also.
Thanks for your answers.
Regards,
---
David Campos
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
 
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev