You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Oliver Wulff <ow...@talend.com> on 2014/02/19 11:10:59 UTC
RE: SSO in Fediz IdP
Hi Stepan
Let's move the discussion to the dev list.
You're right that solution #1 is the right approach. It's is also tracked in the following JIRA:
I'd like to keep the complexity and dependencies within the Fediz plugin (bundled with the application/idp) as small as possible and add this functionality to the IDP, otherwise the Fediz Plugin must support WS-Fed, SAML-P, OAuth, Facebook/LinkedIn authentication all together.
The Signin Flow is customizable (Spring Web Flow) which means you could add this functionality on your own based on release 1.1. As you know, work started for 1.2 which adds support for JPA/REST and Single Logout and we could add SAML-P support as well. The current domain model for the involved parties (Application, IDP and TrustedIDP) considers already the option that a Trusted IDP requires another protocol. The protocol independency is not yet supported in the Spring Web Flow and there is no "Protocol" interface yet.
Could you contribute to this feature in the Fediz IDP?
Thanks
Oli
________________________________________
From: Hrbacek, Stepan [stepan.hrbacek@atos.net]
Sent: 19 February 2014 07:24
To: users@cxf.apache.org
Subject: SSO in Fediz IdP
Hi.
After managing to do SSO to SharePoint 2010 using Fediz IdP/STS 1.1.0 with:
- User authenticating at the Fediz IdP using username and password.
- Validation of user credentials in a custom LoginModule in the Fediz STS.
- Retrieving claims via "LdapClaimsHandler" from LDAP in the Fediz STS.
Now I would like to bring the solution further and not require users to provide credentials at the Fediz IdP login page, but use an existing SSO state (HTTP cookie) created by a third-party SSO system protecting company's intranet applications. Besides an intra-domain Web SSO based on SSO session cookies, the third-party SSO system can do inter-domain Web SSO via SAML 2.0 Web SSO or Auth 2.0.
Following solution alternatives came to my mind:
1. Use SAML Web SSO:
* The Fediz IdP would be a SAML SP.
* The third-party SSO system would be a SAML IdP that issues a SAML assertion based on existing SSO state.
* The SAML assertion form the SAML IdP would be used to authenticate a user at Fediz IdP and STS.
2. Use third-party SSO state directly:
* Create a custom Spring security module for Fediz IdP that:
-- Redirects a user to an external login portal to authenticate and then back to Fediz IdP, if there isn't a third-party SSO cookie in HTTP request.
-- Gets a session id from the third-party SSO cookie in HTTP request.
-- Retrieves a username for the session from the third-party SSO system.
-- Sets the username as "name" and the session id as "credentials" into the org.springframework.security.core.Authentication object.
* Modify the custom LoginModule in Fediz STS, so that it only verifies that the session is valid.
The solution #2 seems feasible and easy to implement.
The solution #1 is cleaner from a concept point of view, but more complicated and I don't know if it is feasible in Fediz 1.1.0.
Could you please tell me which of the solutions is supported by Fediz, resp. if there is yet another solution for our SSO use case?
Kind regards,
Stepan.
RE: SSO in Fediz IdP
Posted by Oliver Wulff <ow...@talend.com>.
I've raised the follwing JIRA for SAML-P support for trusted IDPs:
https://issues.apache.org/jira/browse/FEDIZ-73
And the following JIRA to support easy customization of trusted IDP protocols than the supported one out of the box:
https://issues.apache.org/jira/browse/FEDIZ-72
Let me know what you think.
Thanks
Oli
________________________________________
From: Oliver Wulff [owulff@talend.com]
Sent: 19 February 2014 11:10
To: users@cxf.apache.org; dev@cxf.apache.org
Subject: RE: SSO in Fediz IdP
Hi Stepan
Let's move the discussion to the dev list.
You're right that solution #1 is the right approach. It's is also tracked in the following JIRA:
I'd like to keep the complexity and dependencies within the Fediz plugin (bundled with the application/idp) as small as possible and add this functionality to the IDP, otherwise the Fediz Plugin must support WS-Fed, SAML-P, OAuth, Facebook/LinkedIn authentication all together.
The Signin Flow is customizable (Spring Web Flow) which means you could add this functionality on your own based on release 1.1. As you know, work started for 1.2 which adds support for JPA/REST and Single Logout and we could add SAML-P support as well. The current domain model for the involved parties (Application, IDP and TrustedIDP) considers already the option that a Trusted IDP requires another protocol. The protocol independency is not yet supported in the Spring Web Flow and there is no "Protocol" interface yet.
Could you contribute to this feature in the Fediz IDP?
Thanks
Oli
________________________________________
From: Hrbacek, Stepan [stepan.hrbacek@atos.net]
Sent: 19 February 2014 07:24
To: users@cxf.apache.org
Subject: SSO in Fediz IdP
Hi.
After managing to do SSO to SharePoint 2010 using Fediz IdP/STS 1.1.0 with:
- User authenticating at the Fediz IdP using username and password.
- Validation of user credentials in a custom LoginModule in the Fediz STS.
- Retrieving claims via "LdapClaimsHandler" from LDAP in the Fediz STS.
Now I would like to bring the solution further and not require users to provide credentials at the Fediz IdP login page, but use an existing SSO state (HTTP cookie) created by a third-party SSO system protecting company's intranet applications. Besides an intra-domain Web SSO based on SSO session cookies, the third-party SSO system can do inter-domain Web SSO via SAML 2.0 Web SSO or Auth 2.0.
Following solution alternatives came to my mind:
1. Use SAML Web SSO:
* The Fediz IdP would be a SAML SP.
* The third-party SSO system would be a SAML IdP that issues a SAML assertion based on existing SSO state.
* The SAML assertion form the SAML IdP would be used to authenticate a user at Fediz IdP and STS.
2. Use third-party SSO state directly:
* Create a custom Spring security module for Fediz IdP that:
-- Redirects a user to an external login portal to authenticate and then back to Fediz IdP, if there isn't a third-party SSO cookie in HTTP request.
-- Gets a session id from the third-party SSO cookie in HTTP request.
-- Retrieves a username for the session from the third-party SSO system.
-- Sets the username as "name" and the session id as "credentials" into the org.springframework.security.core.Authentication object.
* Modify the custom LoginModule in Fediz STS, so that it only verifies that the session is valid.
The solution #2 seems feasible and easy to implement.
The solution #1 is cleaner from a concept point of view, but more complicated and I don't know if it is feasible in Fediz 1.1.0.
Could you please tell me which of the solutions is supported by Fediz, resp. if there is yet another solution for our SSO use case?
Kind regards,
Stepan.