You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Oliver Wulff <ow...@talend.com> on 2012/01/27 10:11:10 UTC
[CXF-3882] WS-Federation and Claims transformation
Hi there
Due to extensions for the WS-Federation Web SSO support I'm looking into CXF-3882.
Let's assume an STS has configured several realms/security domains. What happens if I send a SAML token from one security domain and request a new SAML token from another security domain?
Right now, the STS will call the configured identityMapper to map the principal.
One of the nice things in WS-Federation is that you don't want to provision user id for a single person in all realms (security domains) because it's an administration nightmare. Instead, you map the claims (any sort of statements made about a user) from one security domain to the other.
1) I'd propose to introduce a new interface ClaimsMapper which get the source realm, target realm and source claims list and returns the target claims.
2) You configure the kind of relationship between the realms like this:
<bean class="org.apache.cxf.sts.StaticSTSProperties">
...
<property name="relationships" ref="relationships"/>
</bean>
<util:list id="relationships">
<bean class="org.apache.cxf.sts.claims.Relationsship">
<property name="source" value="www.company.com" />
<property name="target" value="www.apache.org" />
<property name="type" value="IdentityFederation|ClaimsFederation" />
<property name="identityMapper" ref="" />
<property name="claimsMapper" ref ="" />
</bean>
</util:list>
The StaticSTSProperties provides a new properties called relationships which references a list of Relationship beans. The Relationship bean defines the type of relation when a security token from realm 'source' must be mapped to realm 'target'. Whether identities or claims are mapped is defined in 'type'. The identityMapper and claimsMapper can be defined here but are optional as the interface is of the two are generic and can be defined globally. The relationship is not bidirectional. If you need to map a token from "www.apache.org<http://www.apache.org>" to "www.company.com<http://www.company.com>" then you must define a new relationship as the type of relation can be different.
What do you think?
------
Oliver Wulff
http://owulff.blogspot.com<http://owulff.blogspot.com/>
Solution Architect
Talend Application Integration Division http://www.talend.com
AW: [CXF-3882] WS-Federation and Claims transformation
Posted by Oliver Wulff <ow...@talend.com>.
Hi Colm
If you don't configure the relationship list it will go by calling the configured IdentityMapper.
Thanks
Oli
------
Oliver Wulff
http://owulff.blogspot.com
Solution Architect
Talend Application Integration Division http://www.talend.com
________________________________________
Von: Colm O hEigeartaigh [coheigea@apache.org]
Gesendet: Dienstag, 31. Januar 2012 17:23
Bis: dev@cxf.apache.org
Betreff: Re: [CXF-3882] WS-Federation and Claims transformation
Hi Oli,
Makes sense to me. One question is will the change be backwards
compatible with the way the IdentityMapper is currently used?
Colm.
On Fri, Jan 27, 2012 at 9:11 AM, Oliver Wulff <ow...@talend.com> wrote:
> Hi there
>
>
>
> Due to extensions for the WS-Federation Web SSO support I'm looking into CXF-3882.
>
>
>
> Let's assume an STS has configured several realms/security domains. What happens if I send a SAML token from one security domain and request a new SAML token from another security domain?
>
>
>
> Right now, the STS will call the configured identityMapper to map the principal.
>
>
>
> One of the nice things in WS-Federation is that you don't want to provision user id for a single person in all realms (security domains) because it's an administration nightmare. Instead, you map the claims (any sort of statements made about a user) from one security domain to the other.
>
>
>
> 1) I'd propose to introduce a new interface ClaimsMapper which get the source realm, target realm and source claims list and returns the target claims.
>
>
>
> 2) You configure the kind of relationship between the realms like this:
>
>
>
> <bean class="org.apache.cxf.sts.StaticSTSProperties">
>
> ...
>
> <property name="relationships" ref="relationships"/>
>
> </bean>
>
>
>
> <util:list id="relationships">
>
> <bean class="org.apache.cxf.sts.claims.Relationsship">
>
> <property name="source" value="www.company.com" />
>
> <property name="target" value="www.apache.org" />
>
> <property name="type" value="IdentityFederation|ClaimsFederation" />
>
> <property name="identityMapper" ref="" />
>
> <property name="claimsMapper" ref ="" />
>
> </bean>
>
> </util:list>
>
>
>
>
>
> The StaticSTSProperties provides a new properties called relationships which references a list of Relationship beans. The Relationship bean defines the type of relation when a security token from realm 'source' must be mapped to realm 'target'. Whether identities or claims are mapped is defined in 'type'. The identityMapper and claimsMapper can be defined here but are optional as the interface is of the two are generic and can be defined globally. The relationship is not bidirectional. If you need to map a token from "www.apache.org<http://www.apache.org>" to "www.company.com<http://www.company.com>" then you must define a new relationship as the type of relation can be different.
>
>
>
> What do you think?
>
>
>
>
>
> ------
>
> Oliver Wulff
>
> http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> Talend Application Integration Division http://www.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: [CXF-3882] WS-Federation and Claims transformation
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Oli,
Makes sense to me. One question is will the change be backwards
compatible with the way the IdentityMapper is currently used?
Colm.
On Fri, Jan 27, 2012 at 9:11 AM, Oliver Wulff <ow...@talend.com> wrote:
> Hi there
>
>
>
> Due to extensions for the WS-Federation Web SSO support I'm looking into CXF-3882.
>
>
>
> Let's assume an STS has configured several realms/security domains. What happens if I send a SAML token from one security domain and request a new SAML token from another security domain?
>
>
>
> Right now, the STS will call the configured identityMapper to map the principal.
>
>
>
> One of the nice things in WS-Federation is that you don't want to provision user id for a single person in all realms (security domains) because it's an administration nightmare. Instead, you map the claims (any sort of statements made about a user) from one security domain to the other.
>
>
>
> 1) I'd propose to introduce a new interface ClaimsMapper which get the source realm, target realm and source claims list and returns the target claims.
>
>
>
> 2) You configure the kind of relationship between the realms like this:
>
>
>
> <bean class="org.apache.cxf.sts.StaticSTSProperties">
>
> ...
>
> <property name="relationships" ref="relationships"/>
>
> </bean>
>
>
>
> <util:list id="relationships">
>
> <bean class="org.apache.cxf.sts.claims.Relationsship">
>
> <property name="source" value="www.company.com" />
>
> <property name="target" value="www.apache.org" />
>
> <property name="type" value="IdentityFederation|ClaimsFederation" />
>
> <property name="identityMapper" ref="" />
>
> <property name="claimsMapper" ref ="" />
>
> </bean>
>
> </util:list>
>
>
>
>
>
> The StaticSTSProperties provides a new properties called relationships which references a list of Relationship beans. The Relationship bean defines the type of relation when a security token from realm 'source' must be mapped to realm 'target'. Whether identities or claims are mapped is defined in 'type'. The identityMapper and claimsMapper can be defined here but are optional as the interface is of the two are generic and can be defined globally. The relationship is not bidirectional. If you need to map a token from "www.apache.org<http://www.apache.org>" to "www.company.com<http://www.company.com>" then you must define a new relationship as the type of relation can be different.
>
>
>
> What do you think?
>
>
>
>
>
> ------
>
> Oliver Wulff
>
> http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> Talend Application Integration Division http://www.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com