BTW, congratulations on setting up the Higgins STS with your own LDAP! Is your demo public, i.e. can we try it somewhere?
Markus On Wed, Jul 29, 2009 at 1:11 PM, David Campos <[email protected] > wrote: > The scenario seems to match... > > Our scenario is like this: > > 1. There exist a group of applications that have the users in common. A > third party manages this users from an LDAP that is mapped towards Higgins > STS (Higgins users are visible from every app) and also manages > authentication and authorization. > 2. One application is the Higgins STS with a few tweaks. This application > is a demo in order to allow people to play with Higgins and iCards. > > Lets say that we want also to allow users to authenticate into all the > applications using iCards. To allow this we need to change the > authentication method to retrieve an AuthN SAML 1.1 token that the third > party is able to understand and to map towards the right user. > > Maybe the idea is to combine STS and SAML2 IdP. U know if is possible to > issue SAML AuthN 1.1 tokens? > > Thank you for the answers. > > --- > David Campos > > > > On Wed, Jul 29, 2009 at 11:47, Markus Sabadello < > [email protected]> wrote: > >> Hi David, >> >> I think you would want to extend the STS to do what you have in mind. >> >> The SAML2 IdP is used for the SAML SP-initiated SSO profile, i.e. a >> typical sequence is this: >> 1. A relying party ("SP" in SAML terminology) wants to authenticate a >> user. Therefore it redirects the browser to the SAML IdP with a SAML >> AuthnRequest. >> 2. The SAML IdP somehow authenticates the user. It then redirects the >> browser back to the SP with a SAML Assertion. >> 3. The relying party (SP) now knows who the user is. >> >> At step 2, the Higgins SAML2 IdP can authenticate the user either against >> an IdAS Context, or by asking for a card, but this is all transparent to the >> SP. >> >> The main use case we had in mind when developing the SAML2 IdP was to >> support sign-in to Google Apps, which can be configured to act as a SAML SP. >> See here: >> http://code.google.com/apis/apps/sso/saml_reference_implementation.html >> We have a demo deployment that allows you to sign in to Google Apps with a >> card. >> >> If this sounds close to what you have in mind, then maybe you can use the >> SAML2 IdP, otherwise I think you would want to try get the STS to issue the >> kind of tokens you want. >> >> Markus >> >> On Wed, Jul 29, 2009 at 9:10 AM, David Campos < >> [email protected]> wrote: >> >>> Hello all, >>> >>> I have a question about the SAML2IdP that is available on the Higgins Web >>> Page. I've successfully deployed the STS solution and I've been working long >>> time with it but now I would be able to generate SAML Authentication >>> assertions with some cards and SAML Attribute assertions with the other. >>> >>> The first tokens would be used to perform a SSO between other apps in the >>> same realm and the second tokens would be used for the usual claim >>> disclosure. >>> >>> My question comes here, is possible to extend the normal STS in order to >>> create a new Endpoint that issues those tokens? I guess that the higgins >>> framework is enough powerful and flexible to express that but I don't know >>> if I need to deploy the SAML2IdP or I can simply extend the STS. >>> >>> Also I would like to know if there is a restriction that would force me >>> to use SAML2 auth tokens or whether SAML 1.1 tokens can be issued also. >>> >>> Thanks for your answers. >>> >>> Regards, >>> --- >>> David Campos >>> >>> _______________________________________________ >>> higgins-dev mailing list >>> [email protected] >>> https://dev.eclipse.org/mailman/listinfo/higgins-dev >>> >>> >> >> _______________________________________________ >> higgins-dev mailing list >> [email protected] >> https://dev.eclipse.org/mailman/listinfo/higgins-dev >> >> > > _______________________________________________ > higgins-dev mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/higgins-dev > >
_______________________________________________ higgins-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/higgins-dev
