[CXF-3882] WS-Federation and Claims transformation

Fri, 27 Jan 2012 01:11:55 -0800 

Hi there



Due to extensions for the WS-Federation Web SSO support I'm looking into 
CXF-3882.



Let's assume an STS has configured several realms/security domains. What 
happens if I send a SAML token from one security domain and request a new SAML 
token from another security domain?



Right now, the STS will call the configured identityMapper to map the principal.



One of the nice things in WS-Federation is that you don't want to provision 
user id for a single person in all realms (security domains) because it's an 
administration nightmare. Instead, you map the claims (any sort of statements 
made about a user) from one security domain to the other.



1) I'd propose to introduce a new interface ClaimsMapper which get the source 
realm, target realm and source claims list and returns the target claims.



2) You configure the kind of relationship between the realms like this:



<bean class="org.apache.cxf.sts.StaticSTSProperties">

  ...

  <property name="relationships" ref="relationships"/>

</bean>



<util:list id="relationships">

   <bean class="org.apache.cxf.sts.claims.Relationsship">

      <property name="source" value="www.company.com" />

      <property name="target" value="www.apache.org" />

      <property name="type" value="IdentityFederation|ClaimsFederation" />

      <property name="identityMapper" ref="" />

      <property name="claimsMapper" ref ="" />

   </bean>

</util:list>





The StaticSTSProperties provides a new properties called relationships which 
references a list of Relationship beans. The Relationship bean defines the type 
of relation when a security token from realm 'source' must be mapped to realm 
'target'. Whether identities or claims are mapped is defined in 'type'. The 
identityMapper and claimsMapper can be defined here but are optional as the 
interface is of the two are generic and can be defined globally. The 
relationship is not bidirectional. If you need to map a token from 
"www.apache.org<http://www.apache.org>" to 
"www.company.com<http://www.company.com>" then you must define a new 
relationship as the type of relation can be different.



What do you think?





------

Oliver Wulff

http://owulff.blogspot.com<http://owulff.blogspot.com/>
Solution Architect
Talend Application Integration Division http://www.talend.com

Reply via email to