not sure i get it, currently if you come from another rp that the one which logged in the user it need the password *again*
*Romain Manni-Bucau* *Twitter: @rmannibucau* *Blog: http://rmannibucau.wordpress.com* 2012/8/21 Sergey Beryozkin <[email protected]> > On 21/08/12 11:53, Romain Manni-Bucau wrote: > >> from what i saw (IdpServlet) it doesn't keep it and need the password (but >> i maybe missed sthg): >> http://svn.apache.org/repos/**asf/cxf/fediz/trunk/services/** >> idp/src/main/java/org/apache/**cxf/fediz/service/idp/**IdpServlet.java<http://svn.apache.org/repos/asf/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpServlet.java> >> > This is what I was saying, IDP manages the actual login and hence it needs > a user to actually log on (using Basic Auth - password, client cert, > whatever), whereas SP (or RP) applications have to manage the state which > would let them validate via some back channel (using WS-Fed in Fediz's > case) that the log-in is active... > > IDP need to keep a state of their own in order to let user avoid entering > the password again, while the session is active, in cases when say the RP > has been restarted and redirected the user back to IDP to log on, I guess > IdpServlet can handle that and if not then it could require a minor update, > but I think, as far as multiple RP applications are concerned and their > state, it's not what IdpServlet itself will manage > > Cheers, Sergey > > >> *Romain Manni-Bucau* >> *Twitter: @rmannibucau* >> *Blog: http://rmannibucau.wordpress.**com<http://rmannibucau.wordpress.com> >> * >> >> >> >> >> 2012/8/21 Sergey Beryozkin<[email protected]**> >> >> Hi >>> >>> On 21/08/12 11:42, Romain Manni-Bucau wrote: >>> >>> well i thought of some distributed solutions but for me that's not a >>>> solution since you keep the password instead of keeping the token, i >>>> think >>>> the current logic flow is not matching this requirement (but is it a >>>> fediz >>>> requirement?) >>>> >>>> >>>> My understanding that it is only IDP that keeps, indirectly, the >>> password >>> and the state management at the RP side is all about getting the login >>> token shared, but I'm not sure yet how Fediz does it, shame I haven't >>> debugged it yet, need to do it asap :-) >>> >>> Cheers, Sergey >>> >>> *Romain Manni-Bucau* >>> >>>> *Twitter: @rmannibucau* >>>> *Blog: http://rmannibucau.wordpress.****com<http://rmannibucau.** >>>> wordpress.com <http://rmannibucau.wordpress.com>> >>>> * >>>> >>>> >>>> >>>> >>>> >>>> 2012/8/21 Sergey Beryozkin<[email protected]****> >>>> >>>> On 20/08/12 22:17, Romain Manni-Bucau wrote: >>>> >>>>> >>>>> two distinct RP webapps (let say in different tomcat). >>>>> >>>>>> >>>>>> currently it "almost works" because with 401 the client (browser) will >>>>>> cache authorization header so it will seem it work but since you >>>>>> change >>>>>> the >>>>>> way you login (and the user/pass is no more in headers) it can't work >>>>>> anymore (typically a form). >>>>>> >>>>>> >>>>>> This seems like a state management issue to me. Fediz currently >>>>> relies on >>>>> the servlet container to manage the session state, so if you say have >>>>> the >>>>> single application running on two Tomcat containers then Tomcat has to >>>>> be >>>>> configured to get the state shared between multiple containers, I >>>>> recall >>>>> I >>>>> saw some material on the web on how to do it, >>>>> >>>>> Alternatively, the state can be managed by Fediz itself (similarly to >>>>> the >>>>> way we do it with Web profile), may be we can support that too once >>>>> CXF-centric extensions are added >>>>> >>>>> Cheers, Sergey >>>>> >>>>> >>>>> The point today is "what's next' in IDP? I mean, does fediz aims to >>>>> >>>>>> provide >>>>>> extensibility or will user need to fork the IDP to get some custom >>>>>> features >>>>>> (i know the answer will not be yes or no ;), but a state is important >>>>>> IMO)? >>>>>> >>>>>> *Romain Manni-Bucau* >>>>>> *Twitter: @rmannibucau* >>>>>> *Blog: http://rmannibucau.wordpress.******com<http://rmannibucau.** >>>>>> wordpress.com<http://**rmannibucau.wordpress.com<http://rmannibucau.wordpress.com> >>>>>> >> >>>>>> >>>>>> >>>>>> * >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> 2012/8/20 Oliver Wulff<[email protected]> >>>>>> >>>>>> Hi Romain >>>>>> >>>>>> >>>>>>> The IDP has a lot of potential for new features. At the very >>>>>>> beginning, >>>>>>> the Fediz IDP was intended to mock an IDP and test your application >>>>>>> but >>>>>>> it >>>>>>> has grown as you can meanwhile attach LDAP for authentication and >>>>>>> claims >>>>>>> support. >>>>>>> >>>>>>> I'm not sure what you mean by classical SSO between two web apps? >>>>>>> >>>>>>> Thanks >>>>>>> Oli >>>>>>> >>>>>>> ------ >>>>>>> >>>>>>> Oliver Wulff >>>>>>> >>>>>>> Blog: http://owulff.blogspot.com >>>>>>> Solution Architect >>>>>>> http://coders.talend.com >>>>>>> >>>>>>> Talend Application Integration Division http://www.talend.com >>>>>>> >>>>>>> ______________________________******__________ >>>>>>> >>>>>>> >>>>>>> From: Romain Manni-Bucau [[email protected]] >>>>>>> Sent: 17 August 2012 15:13 >>>>>>> To: [email protected] >>>>>>> Subject: Re: fediz& SSO? >>>>>>> >>>>>>> >>>>>>> ok, great, so i'll wait some news from fediz ;) >>>>>>> >>>>>>> thanks for the answer >>>>>>> >>>>>>> *Romain Manni-Bucau* >>>>>>> *Twitter: @rmannibucau* >>>>>>> *Blog: http://rmannibucau.wordpress.******com<http://rmannibucau.** >>>>>>> wordpress.com<http://**rmannibucau.wordpress.com<http://rmannibucau.wordpress.com> >>>>>>> >> >>>>>>> * >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2012/8/17 Sergey Beryozkin<[email protected]******> >>>>>>> >>>>>>> Hi >>>>>>> >>>>>>> >>>>>>>> On 17/08/12 09:11, Romain Manni-Bucau wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> >>>>>>>>> i didn't see anything in the roadmap of fediz regarding the >>>>>>>>> 'classical' >>>>>>>>> SSO >>>>>>>>> (between 2 webapps with GUI). >>>>>>>>> >>>>>>>>> It doesn't seem to currently work (well that's not a big surprise >>>>>>>>> but >>>>>>>>> that's a big problem for real applications which have GUI + WS). >>>>>>>>> >>>>>>>>> Any information about it? >>>>>>>>> >>>>>>>>> >>>>>>>>> Colm and myself worked on implementing SAML SSO Web Profile at >>>>>>>>> the >>>>>>>>> SP >>>>>>>>> >>>>>>>>> >>>>>>>> side >>>>>>>> >>>>>>> >>>>>>> only, currently in CXF, implemented with the help of JAX-RS >>>>>>> >>>>>>>> filters/endpoints. I hope we can come to some agreement soon enough >>>>>>>> on >>>>>>>> >>>>>>>> how >>>>>>>> >>>>>>> >>>>>>> to get it linked with Fediz >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Another question is the GUI used for the login, a 401 is rarely >>>>>>>> what >>>>>>>> an >>>>>>>> >>>>>>>> application wants, any way to use a form or is th eonly way to >>>>>>>> >>>>>>>>> achieve >>>>>>>>> >>>>>>>>> it >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> forking the existing servlets? >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> The login form is offered by IDP (Fediz in this case). We've >>>>>>>>> chatted >>>>>>>>> >>>>>>>> with >>>>>>>> Oli few months ago on providing CXF-centric Fediz extensions, when >>>>>>>> we >>>>>>>> do >>>>>>>> >>>>>>>> it >>>>>>>> >>>>>>> >>>>>>> we will be able to utilize JAX-RS RequestDispatcherProvider which >>>>>>> >>>>>>>> links >>>>>>>> >>>>>>>> the >>>>>>>> >>>>>>> >>>>>>> data with JSP/other view handlers - this is how we do SAML SSO Post >>>>>>> >>>>>>>> Redirect support too >>>>>>>> >>>>>>>> Cheers, Sergey >>>>>>>> >>>>>>>> >>>>>>>> *Romain Manni-Bucau* >>>>>>>> >>>>>>>> *Twitter: @rmannibucau* >>>>>>>>> *Blog: http://rmannibucau.wordpress.********com< >>>>>>>>> >>>>>>>>> http://rmannibucau.wordpress.******com<http://rmannibucau.** >>>>>>>>> >>>>>>>> wordpress.com<http://**rmannibucau.wordpress.com<http://rmannibucau.wordpress.com> >>>>>>>> >>> >>>>>>>> >>>>>>>> >>>>>>> * >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>> Sergey Beryozkin >>>>>>>> >>>>>>>> Talend Community Coders >>>>>>>> http://coders.talend.com/ >>>>>>>> >>>>>>>> Blog: http://sberyozkin.blogspot.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>> >>
