Trying to figure out how to dance with Shibboleth, CAS, Liferay and CXF Web Services

Baptiste Grenier bgrenier at maatg.fr
Mon Jan 14 10:19:51 EST 2013 

Dear Scott,

(Cross posted-to users@ where it was posted first...)

Le 11/01/13 à 15:15, Cantor, Scott téléscripta :
> On 1/11/13 6:18 AM, "Baptiste Grenier" <bgrenier at maatg.fr> wrote:
> >
> >We tried to store the SAML assertion returned by the IdP in the user
> >profile and use it to query the Web Service, it works but as the SAML is
> >short-lived it is problematic.
> 
> It's not valid in many ways. The SSO assertion is not meant for use by any
> service other than the SP. If you want a more advanced assertion, that's a
> different use case, and would involve custom profile development. The only
> one we worked on was the delegation flow (that's not just ECP, it's more
> than that), but it hasn't really seen much uptake for many obvious reasons.

I am not sure about the implication/usage of a custom profile...

> >We checked what can be done and we found different possibilities:
> >- having a non-expiring/long-lived SAML ticket
> 
> That doesn't change the audience or add an appropriate subject
> confirmation, and those are the primary issues from a SAML "correctness"
> point of view. Whenever I say "correctness", I'm not saying you can't do
> it "incorrectly", just that once you violate one rule, there's not much
> concern about violating the rest (such as the time conditions).

Yes.

> (...)
> >What approach seems the more robust/straight forward?
> 
> That's a loaded question. One way of attacking it is to ask if you really
> want delegation. That's more secure, but much more complex, than
> forwarding/impersonation models.

The fact is that we have to use WS-Security and a SAML token to protect 
our services.

We would like to do this while being as standard-compliant as possible, 
but if he have no choice, if using delegation is too costly/complex or 
not adapted to our architecture, we are also thinking of either altering 
the SAML (we could update the AudienceRestriction, replace the signature 
from the idP by a signature from the Liferay SP/portal) or creating a 
ticket from scratch in the portal code, the portlet WS client would 
present it to the CXF Web Service which would validate it according it's 
policy (time validity, audience, known/authorized provenance..). But if 
we can do something cleaner it would make us happier/safer. (And the 
Liferay portal/SP and CFX Web Services are under our control but not all 
idP we plan to be integrated with.)

For what I understand/imagine, delegation, despite it seems to be the 
way we would like to go (and almost addressing our use case), might 
require too much work (or could even not be possible) to integrate witch 
our CFX Web Services and our externals iDP...

I am not sure how forwarding/impersonation could be achieved, could you 
please elaborate a bit on these models?

It looks like that we are moving from the quest of the best solution to 
the quest of the less bad solution...

> I would probably suggest you move any follow up to the dev list,
> unless it's a question specifically related to use of the delegation
> code, but discussing use cases is ok here.

Done.

> HTH,

It helps clarifying things, thanks! (But it also open new questions...)

> -- Scott

Best regards,
Baptiste

-- 
Baptiste Grenier           Maat-G Software architect/developer
http://www.maatg.com                   Mobile: +33 786 341 687
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4633 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20130114/a7a662fc/attachment.bin

More information about the users mailing list