cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <owu...@talend.com>
Subject AW: [CXF-3882] WS-Federation and Claims transformation
Date Tue, 31 Jan 2012 19:23:25 GMT
Hi Colm

If you don't configure the relationship list it will go by calling the configured IdentityMapper.

Thanks
Oli

------

Oliver Wulff

http://owulff.blogspot.com
Solution Architect
Talend Application Integration Division http://www.talend.com

________________________________________
Von: Colm O hEigeartaigh [coheigea@apache.org]
Gesendet: Dienstag, 31. Januar 2012 17:23
Bis: dev@cxf.apache.org
Betreff: Re: [CXF-3882] WS-Federation and Claims transformation

Hi Oli,

Makes sense to me. One question is will the change be backwards
compatible with the way the IdentityMapper is currently used?

Colm.

On Fri, Jan 27, 2012 at 9:11 AM, Oliver Wulff <owulff@talend.com> wrote:
> Hi there
>
>
>
> Due to extensions for the WS-Federation Web SSO support I'm looking into CXF-3882.
>
>
>
> Let's assume an STS has configured several realms/security domains. What happens if I
send a SAML token from one security domain and request a new SAML token from another security
domain?
>
>
>
> Right now, the STS will call the configured identityMapper to map the principal.
>
>
>
> One of the nice things in WS-Federation is that you don't want to provision user id for
a single person in all realms (security domains) because it's an administration nightmare.
Instead, you map the claims (any sort of statements made about a user) from one security domain
to the other.
>
>
>
> 1) I'd propose to introduce a new interface ClaimsMapper which get the source realm,
target realm and source claims list and returns the target claims.
>
>
>
> 2) You configure the kind of relationship between the realms like this:
>
>
>
> <bean class="org.apache.cxf.sts.StaticSTSProperties">
>
>  ...
>
>  <property name="relationships" ref="relationships"/>
>
> </bean>
>
>
>
> <util:list id="relationships">
>
>   <bean class="org.apache.cxf.sts.claims.Relationsship">
>
>      <property name="source" value="www.company.com" />
>
>      <property name="target" value="www.apache.org" />
>
>      <property name="type" value="IdentityFederation|ClaimsFederation" />
>
>      <property name="identityMapper" ref="" />
>
>      <property name="claimsMapper" ref ="" />
>
>   </bean>
>
> </util:list>
>
>
>
>
>
> The StaticSTSProperties provides a new properties called relationships which references
a list of Relationship beans. The Relationship bean defines the type of relation when a security
token from realm 'source' must be mapped to realm 'target'. Whether identities or claims are
mapped is defined in 'type'. The identityMapper and claimsMapper can be defined here but are
optional as the interface is of the two are generic and can be defined globally. The relationship
is not bidirectional. If you need to map a token from "www.apache.org<http://www.apache.org>"
to "www.company.com<http://www.company.com>" then you must define a new relationship
as the type of relation can be different.
>
>
>
> What do you think?
>
>
>
>
>
> ------
>
> Oliver Wulff
>
> http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> Talend Application Integration Division http://www.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message