Can the SP forward artifact consumption to another service ?
matthieu.huin at enovance.com
Wed Nov 12 06:03:21 EST 2014
I've been looking into artifacts (section 3.6 of http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)
and would like to know if shibboleth SP could support passing the artifact, once obtained, to another service, through some
form of callback. This service would then consume the artifact and fetch the assertions from the IdP.
It is probably a bit far-fetched, but the Openstack community has to deal with a case where the web GUI (Horizon) is
a distinct entity from the identity/authZ service (Keystone). Keystone recently got support for federation through SAML
(as a SP, behind mod-shib), and CLI operations are possible through ECP, but getting the right federated AuthN workflow through
horizon is tricky. So using artifacts and having horizon pass them to keystone could maybe solve this; or is there something
else that could be done ?
mhu at enovance.com
11 bis rue roquépine – 75008 PARIS France
More information about the users