Passthrough of SAML response by SP to application
Dennis Wagelaar
dennis.wagelaar at healthconnect.be
Mon Jul 16 03:26:26 EDT 2012
-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: vrijdag 13 juli 2012 18:08
To: Shib Users
Cc: Jelle Gacoms; Toon Timbermont
Subject: Re: Passthrough of SAML response by SP to application
On 7/13/12 8:52 AM, "Dennis Wagelaar" <dennis.wagelaar at healthconnect.be>
wrote:
>Hello all,
>
>Is it possible to have the Shibboleth SP pass through the entire SAML
>response instead of only selected attributes to the underlying web
>application?
Yes, this is documented under assertion export. It's somewhat roundabout because of the size, but it works.
[DW] Thanks! I had already run into size issues with SAML tokens embedded in HTTP headers. This seems to solve that issue. (sorry about my Outlook not properly indenting replies :/)
>
>I¹m trying to build a sort of ³broker² solution, where a web service
>uses shibboleth to authenticate a user, and then contacts another web
>service that authenticates both the ³broker² web service as well as the
>original user (with the original SAML token).
You can't do that without either violating the SAML specifications, or treating the assertion is nothing but application data and trusting the initial service implicitly. Using assertions as security tokens imposes requirements on their content that vanilla SSO assertions don't meet.
[DW] Just to be sure, the idea is to use a separate, regular Shibboleth authentication of the broker/portal web service based on an X509 certificate that identifies the portal web service. Once authenticated, the portal web service is allowed to pass on the original SAML token (with "audience" set to the portal web service). I understand that the portal web service is effectively a man-in-the-middle, and can read/modify all data that passes (hence needs to be trusted ultimately by the final web service). Are there other security concerns re. this trust model?
> As far as I can see, I will need to pass on the entire signed SAML
>response for the user, if the other web service is to validate the
>initial user authentication.
>
>Am I on the right track here?
Not really, see above.
What you're trying to do is what we spec'd out and implemented as delegation, but it's not a trivial use of SAML. It's laid out in a separate wiki space in the spaces.internet2.edu wiki:
https://spaces.internet2.edu/display/ShibuPortal/Home
[DW] Thanks! That looks very much like the intended scenario. I understand it is currently only "complete" for use with uPortal. If I were to use this implementation, are these the things I'd need to do:
1. Add plug-in to IDP to support delegation
2. Implement the "Portlet" role in my portal web service
3. Configure both the portal SP and the final SP (no special SP implementation necessary)
Can you confirm?
Thanks!
-- Dennis
-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list