Can the SP forward artifact consumption to another service ?
Matthieu Huin
matthieu.huin at enovance.com
Wed Nov 12 06:03:21 EST 2014
Hello,
I've been looking into artifacts (section 3.6 of http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf)
and would like to know if shibboleth SP could support passing the artifact, once obtained, to another service, through some
form of callback. This service would then consume the artifact and fetch the assertions from the IdP.
It is probably a bit far-fetched, but the Openstack community has to deal with a case where the web GUI (Horizon) is
a distinct entity from the identity/authZ service (Keystone). Keystone recently got support for federation through SAML
(as a SP, behind mod-shib), and CLI operations are possible through ECP, but getting the right federated AuthN workflow through
horizon is tricky. So using artifacts and having horizon pass them to keystone could maybe solve this; or is there something
else that could be done ?
Thanks,
Matthieu Huin
mhu at enovance.com
http://www.enovance.com
11 bis rue roquépine – 75008 PARIS France
More information about the users
mailing list