cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <owu...@talend.com>
Subject RE: SSO in Fediz IdP
Date Thu, 20 Feb 2014 09:37:29 GMT
I've raised the follwing JIRA for SAML-P support for trusted IDPs:
https://issues.apache.org/jira/browse/FEDIZ-73

And the following JIRA to support easy customization of trusted IDP protocols than the supported
one out of the box:
https://issues.apache.org/jira/browse/FEDIZ-72

Let me know what you think.

Thanks
Oli


________________________________________
From: Oliver Wulff [owulff@talend.com]
Sent: 19 February 2014 11:10
To: users@cxf.apache.org; dev@cxf.apache.org
Subject: RE: SSO in Fediz IdP

Hi Stepan

Let's move the discussion to the dev list.

You're right that solution #1 is the right approach. It's is also tracked in the following
JIRA:

I'd like to keep the complexity and dependencies within the Fediz plugin (bundled with the
application/idp) as small as possible and add this functionality to the IDP, otherwise the
Fediz Plugin must support WS-Fed, SAML-P, OAuth, Facebook/LinkedIn authentication all together.

The Signin Flow is customizable (Spring Web Flow) which means you could add this functionality
on your own based on release 1.1. As you know, work started for 1.2 which adds support for
JPA/REST and Single Logout and we could add SAML-P support as well. The current domain model
for the involved parties (Application, IDP and TrustedIDP) considers already the option that
a Trusted IDP requires another protocol. The protocol independency is not yet supported in
the Spring Web Flow and there is no "Protocol" interface yet.

Could you contribute to this feature in the Fediz IDP?

Thanks
Oli

________________________________________
From: Hrbacek, Stepan [stepan.hrbacek@atos.net]
Sent: 19 February 2014 07:24
To: users@cxf.apache.org
Subject: SSO in Fediz IdP

Hi.
After managing to do SSO to SharePoint 2010 using Fediz IdP/STS 1.1.0 with:
- User authenticating at the Fediz IdP using username and password.
- Validation of user credentials in a custom LoginModule in the Fediz STS.
- Retrieving claims via "LdapClaimsHandler" from LDAP in the Fediz STS.

Now I would like to bring the solution further and not require users to provide credentials
at the Fediz IdP login page, but use an existing SSO state (HTTP cookie) created by a third-party
SSO system protecting company's intranet applications. Besides an intra-domain Web SSO based
on SSO session cookies, the third-party SSO system can do inter-domain Web SSO via SAML 2.0
Web SSO or Auth 2.0.

Following solution alternatives came to my mind:
1. Use SAML Web SSO:
* The Fediz IdP would be a SAML SP.
* The third-party SSO system would be a SAML IdP that issues a SAML assertion based on existing
SSO state.
* The SAML assertion form the SAML IdP would be used to authenticate a user at Fediz IdP and
STS.

2. Use third-party SSO state directly:
* Create a custom Spring security module for Fediz IdP that:
-- Redirects a user to an external login portal to authenticate and then back to Fediz IdP,
if there isn't a third-party SSO cookie in HTTP request.
-- Gets a session id from the third-party SSO cookie in HTTP request.
-- Retrieves a username for the session from the third-party SSO system.
-- Sets the username as "name" and the session id as "credentials" into the org.springframework.security.core.Authentication
object.
* Modify the custom LoginModule in Fediz STS, so that it only verifies that the session is
valid.

The solution #2 seems feasible and easy to implement.
The solution #1 is cleaner from a concept point of view, but more complicated and I don't
know if it is feasible in Fediz 1.1.0.

Could you please tell me which of the solutions is supported by Fediz, resp. if there is yet
another solution for our SSO use case?
Kind regards,
Stepan.

Mime
View raw message