Hi Christian
>>>
To my understanding, the Fediz IDP allows for configuring:
- realms and requested claims ("type" of information to be contained in the
ticket)
- credentials (username and password)
- claims (friendly name, email, roles, ...)
Also, to me understanding, the claims are defined globally, so whenever a user
authenticates against the IDP from a specific realm, the same claims are
returned by the STS. Even though the realm definition contains the list of
claims to be returned, the roles defined for a user cannot be specified per
realm.
>>>
Unfortunately, the term "realm" is used differently depending on the context.
Very often, a realm is similar to a security domain where the users and their
attributes a managed. A security domain maps to one identity store (LDAP). But,
the realm can also define a more fine grained scope like an application as for
WS-Federation.
In the Mock IDP, you configure the required claims per application (wtrealm
parameter). The Mock IDP/STS itself is a single security domain where users,
passwords and claims are managed. For simplicity reasons, the Mock IDP/STS
defines only global roles which are valid for all applications - as you say. In
production environments, you can defines more fine grained roles per
application (wtrealm (IDP) maps to appliesTo (STS)). In such cases, the
claimshandler processes the incoming appliesTo parameter and returns the roles
of this application.
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/ClaimsHandler.java?view=markup
The parameter "ClaimsParameters" of retrieveClaims() provides the attribute
"appliesToAddress" which maps with the value of the http parameter wtrealm. The
value of wtrealm is managed by the application (relying party).
Do you think it's feasible to extend the FileClaimsHandler to support returning
roles depending on the wtrealm/appliesto value?
http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/service/sts/FileClaimsHandler.java?view=log
HTH
------
Oliver Wulff
http://owulff.blogspot.com
Solution Architect
Talend Application Integration Division http://www.talend.com
________________________________________
Von: Christian Stettler [[email protected]]
Gesendet: Dienstag, 21. Februar 2012 16:44
Bis: [email protected]
Betreff: Fediz IDP/STS: Define Claims per Realm
Hi list,
To my understanding, the Fediz IDP allows for configuring:
- realms and requested claims ("type" of information to be contained in the
ticket)
- credentials (username and password)
- claims (friendly name, email, roles, ...)
Also, to me understanding, the claims are defined globally, so whenever a user
authenticates against the IDP from a specific realm, the same claims are
returned by the STS. Even though the realm definition contains the list of
claims to be returned, the roles defined for a user cannot be specified per
realm.
As an example, if to realms "realm-a" and "realm-b" are defined (both returning
the "role" claim), and one user "test" is defined with the roles "USER,
APP_ROLE_1, APP_ROLE_2", the ticket returned by the STS will always contain all
three roles, independent of which realm the user has provided.
Is my understanding correct?
Is there any way to specify the claims (i.e. role values) per realm?
Thank you & regards,
Christian
