https://issues.apache.org/bugzilla/show_bug.cgi?id=51334
Bug #: 51334
Summary: Web SSO support based on WS-Federation Passive
Requestor Profile
Product: Tomcat 6
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: oliver.wu...@zurich.ch
Classification: Unclassified
The specification WS-Federation describes the Web SSO solution in chapter 13:
http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf
Tomcat should support this standard to integrate with other SSO solutions
natively.
Initially, an unauthenticated request is redirected to an identity provider
(IP) which issues for instance a SAML token. The IP is an external system. The
SAML token is validated by Tomcat (Replying Party) and creates the security
context in Tomcat.
The idea is to write a custom Authenticator which triggers the redirect,
verifies the signed SAML token, reads the claims information (like Role), set
up a cookie and create the security context.
The authenticator must provide the following configuration options:
- URL of IDP (mandatory)
- audience URI (mandatory)
- trusted certificate (signed SAML token) (mandatory)
- service (RP) keystore to decrypt encrypted SAML tokens (optional)
- list of requested claims (firstname, lastname, email, ... see
http://docs.oasis-open.org/imi/identity/v1.0/os/identity-1.0-spec-os.pdf)
- URI of the claim which contains the roles (needed for isUserInRole()...)
- token type, SAML 1.1, 2.0
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
