tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51334] New: Web SSO support based on WS-Federation Passive Requestor Profile
Date Tue, 07 Jun 2011 11:39:20 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51334

             Bug #: 51334
           Summary: Web SSO support based on WS-Federation Passive
                    Requestor Profile
           Product: Tomcat 6
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: oliver.wulff@zurich.ch
    Classification: Unclassified


The specification WS-Federation describes the Web SSO solution in chapter 13:
http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf

Tomcat should support this standard to integrate with other SSO solutions
natively.

Initially, an unauthenticated request is redirected to an identity provider
(IP) which issues for instance a SAML token. The IP is an external system. The
SAML token is validated by Tomcat (Replying Party) and creates the security
context in Tomcat.

The idea is to write a custom Authenticator which triggers the redirect,
verifies the signed SAML token, reads the claims information (like Role), set
up a cookie and create the security context.

The authenticator must provide the following configuration options:
- URL of IDP (mandatory)
- audience URI (mandatory)
- trusted certificate (signed SAML token) (mandatory)
- service (RP) keystore to decrypt encrypted SAML tokens (optional)
- list of requested claims (firstname, lastname, email, ...  see
http://docs.oasis-open.org/imi/identity/v1.0/os/identity-1.0-spec-os.pdf)
- URI of the claim which contains the roles (needed for isUserInRole()...)
- token type, SAML 1.1, 2.0

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message