Hi Fabio, You also should consider oAuth for SSO and might have a look at Apache Oltu (http://oltu.apache.org/).
Regards Wolfgang From: Fabio Martelli [mailto:fabio.marte...@gmail.com] Sent: Monday, September 23, 2013 1:42 PM To: user@syncope.apache.org Subject: Re: Release Maggiore and authentication modules Il 23/09/2013 11:37, Oliver Wulff ha scritto: Hi Fabio I sent this mail in the mailing list because I didn't really get much information from the jira tickets. Right now, I'm looking into add SSO capabilities to Syncope with Apache CXF Fediz IDP. I noticed that security in the console is done with wicket whereas in the core you use spring security. I noticed also the JIRA to probably use Apache Shiro which is very close to Spring Security. Where do you want to use Shiro - console and/or core? Apache CXF Fediz uses WS-Federation and SAML tokens for authentication which means the console gets a SAML token which contains the roles of the user. Due to the fact that the same roles are used for the core, this SAML token could be sent to the REST services. CXF JAX-RS supports SAML as described in [2]. WDYT? Hi Oliver, as per SYNCOPE-160 it should be investigate the way to add the basis to provide access management features. I think that Shiro can be used onto the core, mainly. The console would be a generic client of Apache Syncope that will have to communicate with it in respect of authentication/authorization mechanism configured. Currently, I don't know which will be the auth solution to be implemented for the console. I don't exclude to protect the console via an Apache Syncope (AM) agent writen ad-hoc. Apache Shiro is just an idea; CXF Fediz could be avaluated as well. Best regards, F. Thanks Oli [2] http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLassertionsinAuthorizationheader