request IdP assertions from java
Cantor, Scott
cantor.2 at osu.edu
Wed Jan 18 15:57:41 GMT 2012
On 1/18/12 10:45 AM, "enache alex" <alex_e_fii at yahoo.com> wrote:
>
>I'm extremely new to this sso, shibboleth, IdP, SP, etc. etc. things. So
>I thought to ask the experts :). I have to integrate our software with
>shibboleth (only the IdP part of it). For this I need to create some sort
>of PAM to access the IdP and receive the assertions.
The IdP doesn't include any SAML (or other) profiles that address that use
case(*), and it's inappropriate to use other profiles for a different
purpose. That leads to security problems when things don't work as
intended.
(*) The ECP support is somewhat adaptable to a PAM-like use case, but not
really. With PAM you're probably thinking of taking a password and somehow
directly talking to the IdP, but that's not how SAML normally works. But
it's somewhat similar if you squint. One could act as both "client" and
"SP" in the ECP model, take the credentials, formulate a request, use them
to acquire a Response from the IdP as the profile dictates, and then
process the Response as the relying party. We don't have anything like
that implemented, and most especially not a full relying party in Java.
-- Scott
More information about the users
mailing list