Hi Oli, Makes sense to me. One question is will the change be backwards compatible with the way the IdentityMapper is currently used?
Colm. On Fri, Jan 27, 2012 at 9:11 AM, Oliver Wulff <[email protected]> wrote: > Hi there > > > > Due to extensions for the WS-Federation Web SSO support I'm looking into > CXF-3882. > > > > Let's assume an STS has configured several realms/security domains. What > happens if I send a SAML token from one security domain and request a new > SAML token from another security domain? > > > > Right now, the STS will call the configured identityMapper to map the > principal. > > > > One of the nice things in WS-Federation is that you don't want to provision > user id for a single person in all realms (security domains) because it's an > administration nightmare. Instead, you map the claims (any sort of statements > made about a user) from one security domain to the other. > > > > 1) I'd propose to introduce a new interface ClaimsMapper which get the source > realm, target realm and source claims list and returns the target claims. > > > > 2) You configure the kind of relationship between the realms like this: > > > > <bean class="org.apache.cxf.sts.StaticSTSProperties"> > > ... > > <property name="relationships" ref="relationships"/> > > </bean> > > > > <util:list id="relationships"> > > <bean class="org.apache.cxf.sts.claims.Relationsship"> > > <property name="source" value="www.company.com" /> > > <property name="target" value="www.apache.org" /> > > <property name="type" value="IdentityFederation|ClaimsFederation" /> > > <property name="identityMapper" ref="" /> > > <property name="claimsMapper" ref ="" /> > > </bean> > > </util:list> > > > > > > The StaticSTSProperties provides a new properties called relationships which > references a list of Relationship beans. The Relationship bean defines the > type of relation when a security token from realm 'source' must be mapped to > realm 'target'. Whether identities or claims are mapped is defined in 'type'. > The identityMapper and claimsMapper can be defined here but are optional as > the interface is of the two are generic and can be defined globally. The > relationship is not bidirectional. If you need to map a token from > "www.apache.org<http://www.apache.org>" to > "www.company.com<http://www.company.com>" then you must define a new > relationship as the type of relation can be different. > > > > What do you think? > > > > > > ------ > > Oliver Wulff > > http://owulff.blogspot.com<http://owulff.blogspot.com/> > Solution Architect > Talend Application Integration Division http://www.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
