Hi David,
I think you would want to extend the STS to do what you have in mind.
The SAML2 IdP is used for the SAML SP-initiated SSO profile, i.e. a typical
sequence is this:
1. A relying party ("SP" in SAML terminology) wants to authenticate a user.
Therefore it redirects the browser to the SAML IdP with a SAML AuthnRequest.
2. The SAML IdP somehow authenticates the user. It then redirects the
browser back to the SP with a SAML Assertion.
3. The relying party (SP) now knows who the user is.
At step 2, the Higgins SAML2 IdP can authenticate the user either against an
IdAS Context, or by asking for a card, but this is all transparent to the
SP.
The main use case we had in mind when developing the SAML2 IdP was to
support sign-in to Google Apps, which can be configured to act as a SAML SP.
See here:
http://code.google.com/apis/apps/sso/saml_reference_implementation.html
We have a demo deployment that allows you to sign in to Google Apps with a
card.
If this sounds close to what you have in mind, then maybe you can use the
SAML2 IdP, otherwise I think you would want to try get the STS to issue the
kind of tokens you want.
Markus
On Wed, Jul 29, 2009 at 9:10 AM, David Campos <[email protected]
> wrote:
> Hello all,
>
> I have a question about the SAML2IdP that is available on the Higgins Web
> Page. I've successfully deployed the STS solution and I've been working long
> time with it but now I would be able to generate SAML Authentication
> assertions with some cards and SAML Attribute assertions with the other.
>
> The first tokens would be used to perform a SSO between other apps in the
> same realm and the second tokens would be used for the usual claim
> disclosure.
>
> My question comes here, is possible to extend the normal STS in order to
> create a new Endpoint that issues those tokens? I guess that the higgins
> framework is enough powerful and flexible to express that but I don't know
> if I need to deploy the SAML2IdP or I can simply extend the STS.
>
> Also I would like to know if there is a restriction that would force me to
> use SAML2 auth tokens or whether SAML 1.1 tokens can be issued also.
>
> Thanks for your answers.
>
> Regards,
> ---
> David Campos
>
> _______________________________________________
> higgins-dev mailing list
> [email protected]
> https://dev.eclipse.org/mailman/listinfo/higgins-dev
>
>
_______________________________________________
higgins-dev mailing list
[email protected]
https://dev.eclipse.org/mailman/listinfo/higgins-dev
