You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/06/07 13:39:20 UTC
DO NOT REPLY [Bug 51334] New: Web SSO support based on WS-Federation
Passive Requestor Profile
https://issues.apache.org/bugzilla/show_bug.cgi?id=51334
Bug #: 51334
Summary: Web SSO support based on WS-Federation Passive
Requestor Profile
Product: Tomcat 6
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: oliver.wulff@zurich.ch
Classification: Unclassified
The specification WS-Federation describes the Web SSO solution in chapter 13:
http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf
Tomcat should support this standard to integrate with other SSO solutions
natively.
Initially, an unauthenticated request is redirected to an identity provider
(IP) which issues for instance a SAML token. The IP is an external system. The
SAML token is validated by Tomcat (Replying Party) and creates the security
context in Tomcat.
The idea is to write a custom Authenticator which triggers the redirect,
verifies the signed SAML token, reads the claims information (like Role), set
up a cookie and create the security context.
The authenticator must provide the following configuration options:
- URL of IDP (mandatory)
- audience URI (mandatory)
- trusted certificate (signed SAML token) (mandatory)
- service (RP) keystore to decrypt encrypted SAML tokens (optional)
- list of requested claims (firstname, lastname, email, ... see
http://docs.oasis-open.org/imi/identity/v1.0/os/identity-1.0-spec-os.pdf)
- URI of the claim which contains the roles (needed for isUserInRole()...)
- token type, SAML 1.1, 2.0
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51334] Web SSO support based on WS-Federation
Passive Requestor Profile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51334
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
--- Comment #4 from Mark Thomas <ma...@apache.org> 2012-01-22 19:55:33 UTC ---
On further reflection, I do not see sufficient demand for this to be included
in the Tomcat core distribution or as an extra.
For now, I would suggest hosting this elsewhere, adding it to [1] and sending a
note to the users list to ensure folks are aware that it exists. If demand for
this feature increases, we can always revisit whether or not to include this
feature in the Tomcat distribution.
One option for external hosting, would be Apache extras [2].
[1] http://wiki.apache.org/tomcat/AddOns
[2] http://code.google.com/a/apache-extras.org/hosting/
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51334] Web SSO support based on WS-Federation
Passive Requestor Profile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51334
--- Comment #3 from Mark Thomas <ma...@apache.org> 2012-01-15 22:14:15 UTC ---
This is a relatively large amount of code and I do not recall any demand for
this from the Tomcat user community. On that basis, I do not believe that this
belongs in the Core Tomcat distribution.
It might make sense as a module and distributed as another extra (i.e. built as
part of the release but provided as a separate download). Even then, I'm not
convinced there is sufficient demand for this feature to make the effort
required to add it and maintain it going forward worth while.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51334] Web SSO support based on WS-Federation
Passive Requestor Profile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51334
--- Comment #2 from Oliver wulff <ol...@zurich.ch> 2011-10-17 08:05:00 UTC ---
Created attachment 27797
--> https://issues.apache.org/bugzilla/attachment.cgi?id=27797
Proposal
I've attached a complete maven project which consists of the following modules:
- wsfed-core
this is the core federation funtionality which is servlet container agnostic
- wsfed-tomcat
this is the adaption of the wsfed-core component for tomcat implemented as an
authenticator
- wsfed-tomcat-example
this is the sample web application where federation is enabled. This example
must be deployed into a tomcat container which contains the above library and
dependencies in wsfed-core and wsfed-tomcat.
WS-Federation depends on a third party security component called Identity
Provider (IDP). I've posted a blog which explains this in more detail. The
Identity Provider is responsible to authenticate a user and a security token
which is handled by an STS. The following two modules provide the IDP
functionality:
- wsfed-idp
this is the IDP component which is required for a web application which has
federation enabled. For more information check this out:
http://owulff.blogspot.com/2011/10/configure-and-deploy-identity-provider.html
- wsfed-idp-sts
this is the STS component which is used by the idp. For more information check
this out:
http://owulff.blogspot.com/2011/10/configure-and-deploy-cxf-25-sts-part-i.html
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51334] Web SSO support based on WS-Federation
Passive Requestor Profile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51334
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|Catalina |Catalina
Version|unspecified |trunk
Product|Tomcat 6 |Tomcat 7
Target Milestone|default |---
Severity|normal |enhancement
--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-06-07 14:59:36 UTC ---
If implemented, I don't see this being back-ported to 6 so moving to Tomcat 7.
Marking as an enhancement. As with any enhancement, providing a patch greatly
increases the chances of it getting into the code base. Without a patch or a
committer interested in implementing the feature it will eventually get
resolved as WONTFIX.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org