Hi. After managing to do SSO to SharePoint 2010 using Fediz IdP/STS 1.1.0 with: - User authenticating at the Fediz IdP using username and password. - Validation of user credentials in a custom LoginModule in the Fediz STS. - Retrieving claims via "LdapClaimsHandler" from LDAP in the Fediz STS.
Now I would like to bring the solution further and not require users to provide credentials at the Fediz IdP login page, but use an existing SSO state (HTTP cookie) created by a third-party SSO system protecting company's intranet applications. Besides an intra-domain Web SSO based on SSO session cookies, the third-party SSO system can do inter-domain Web SSO via SAML 2.0 Web SSO or Auth 2.0. Following solution alternatives came to my mind: 1. Use SAML Web SSO: * The Fediz IdP would be a SAML SP. * The third-party SSO system would be a SAML IdP that issues a SAML assertion based on existing SSO state. * The SAML assertion form the SAML IdP would be used to authenticate a user at Fediz IdP and STS. 2. Use third-party SSO state directly: * Create a custom Spring security module for Fediz IdP that: -- Redirects a user to an external login portal to authenticate and then back to Fediz IdP, if there isn't a third-party SSO cookie in HTTP request. -- Gets a session id from the third-party SSO cookie in HTTP request. -- Retrieves a username for the session from the third-party SSO system. -- Sets the username as "name" and the session id as "credentials" into the org.springframework.security.core.Authentication object. * Modify the custom LoginModule in Fediz STS, so that it only verifies that the session is valid. The solution #2 seems feasible and easy to implement. The solution #1 is cleaner from a concept point of view, but more complicated and I don't know if it is feasible in Fediz 1.1.0. Could you please tell me which of the solutions is supported by Fediz, resp. if there is yet another solution for our SSO use case? Kind regards, Stepan.
