cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Moving the SAML SSO SP code to its own module
Date Wed, 09 May 2012 21:33:05 GMT

Colm and myself have been working recently on the initial support for 
the SAML-based Web SSO support on the Service Provider (SP) side.

What we've got at the moment is the filters which can enforce the 
security context and redirect via GET or POST to the IDP, validate 
SAMLResponse and set the security context.

There's still a bit of work that needs to be completed, to do with the 
better security context population on the actual application path, more 
sophisticated support for the session management, supporting the 
delegation of the SAMLResponse validation. Then going forward we can 
think about the logout support, artifact resolution support, etc, etc...

Right now, the code lives in rt/rs/security/xml, I started prototyping 
the code there simply because it already contained the support for 
SAML-based validation of SAML assertions, etc.

However, given a number of enhancements that are expected to be added 
for the SSO-based support, we thought with Colm that it would make sense 
to move the relevant code to its own dedicated module. As I said earlier 
I believe this code should work with different IDPs, so for now I'm not 
sure that it should be moved to the Fediz sub-project. I guess the 
possibility of moving to Fediz can be reviewed later on again, but right 
now I'd suggest creating a module such as


under rt/rs/security/sso/saml

with the idea that perhaps some other SSO techologies will be supported 
at the CXF RS level in the future

Comments are welcome.

Cheers, Sergey

View raw message