The SP on your servers, the thing that redirects the users to the login page, should receive information about the user. See this diagram for an overview of the SAML process from the user's perspective: http://code.google.com/apis/apps/sso/saml_workflow_vertical.gif
If you want the full text of the article, it's available here: https://www-304.ibm.com/connections/blogs/sweeden/tags/tfim?lang=en_us This page provides a diagram with a bit more detail: http://developers.sun.com/identity/reference/techart/troubleshooting4.html It's not a simple thing, but understanding the key concepts will go a log way toward understanding all the other things, implementation details included. I suggest reading up on these things: - SAML, SAML assertion - SAML IdP (identity provider) - SAML SP (service provider) Wikipedia is a good place to start: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Knowledge is key. Anything can seem overwhelming if it is not understood. Axton Grams On Fri, Nov 4, 2011 at 11:05 AM, O'Hara, Brad <[email protected]> wrote: > ** > > Axton, > > > > Thanks, this is sounding more complicated by the minute J I was hoping > someone had already taken a stab at this. One thing about the credentials, > the Shibboleth implementation we have directs the user to a login page and > we do not have access to them from there. > > > > Brad > > > > From: Action Request System discussion list(ARSList) > [mailto:[email protected]] On Behalf Of Axton > Sent: Thursday, November 03, 2011 11:33 AM > To: [email protected] > Subject: Re: Shibboleth > > > > ** In theory it is possible for the mid-tier authentication. I have read up > on it and looked into what it would take. I will say that it will require > some programming on your part to make it happen. > > - In Shibboleth, you will need an IdP and a realm for your mid-tier > application > > - On the web server in front of the mid-tier, you need something that is > capable of issuing/handling a SAML assertion (an SP) > > - You need to hand the SP provided information from the web server to the > servlet container (object; method is implementation dependant) > > - Within the mid-tier, you need to implement a custom authentication servlet > to handle the assertion > > - Within the ARServer, you need to implement an AREA plugin capable of > taking the data from your custom authentication servlet and authenticating > the user > > > > I have intentionally left out the details of how to create a trusted > handshake between the mid-tier and AREA plug-in. This is an area of much > debate. Ideally you would re-validate the credentials passed to the AREA > plugin within the AREA plugin. What is more common is a shared secret > between the authentication servlet and the AREA plugin. I'm not a fan of > the shared secret approach because once the cat's out of the bag (that being > the shared secret), it's out, and people can blindly authenticate to your > arserver. > > > > This is all theory, not practice, so there may some things that I've missed. > Also, there may be other ways to approach this, for example, you may not > have a web server in front of your servlet container, in which case the > architecture, and subsequently, the implementation, changes. > > > > Axton Grams > > > > On Thu, Nov 3, 2011 at 9:38 AM, O'Hara, Brad <[email protected]> wrote: > > ** > > Hi, > > > > Has anyone been able to use Shibboleth for authentication? > > > > Thanks, > > Brad > > > > ---------------------------------------------------------------- > > Brad O'Hara > > Manager: Network Support Services > > Computing and Networking Services > > University of Florida > > net-services.ufl.edu : Voice (352) 273-1347 : Fax (352) 273-0743 > > > > _attend WWRUG12 www.wwrug.com ARSlist: "Where the Answers Are"_ > > > > _attend WWRUG12 www.wwrug.com ARSlist: "Where the Answers Are"_ > > _attend WWRUG12 www.wwrug.com ARSlist: "Where the Answers Are"_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
