Delegate authentication through a different SP

Giovanni Bajo rasky at develer.com
Sun Oct 20 11:33:48 EDT 2013


Hello,

we use Shib (specifically, mod_shib) in all our SPs.

We have one service (SP1) which is both usable directly by users (through a browser) and exposes a webservice. It redirects users for authentication to our IdP.

We then have one totally different service (SP2) which is used directly by users, and internally it communicates to the webservice exposed by SP1. Previously, with basic-auth, SP2 was basically forwarding user's credentials to SP2's webservice to authenticate.

What is the best way to handle this scenario? I would expect a way to either forward a security assertion from SP1 to SP2 (maybe using ECP to talk to SP2?), or some different mechanism I'm not aware of. I found this page that suggests some possible solutions:
https://wiki.shibboleth.net/confluence/display/SHIB2/DelegatedCredentials

but neither of them seem ideal for my case. Is there anything else I can look into?

Thanks in advance for any suggestion.
-- 
Giovanni Bajo   ::  rasky at develer.com
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4207 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20131020/4abfafde/attachment.bin 


More information about the users mailing list