Shibboleth Identity Provider V3.2.0 now available

Brent Putman putmanb at georgetown.edu
Thu Nov 19 17:12:20 EST 2015 


On 11/19/15 1:39 PM, Cantor, Scott wrote:
> On 11/19/15, 1:37 PM, "users on behalf of Hong Ye" <users-bounces at shibboleth.net on behalf of hy93 at cornell.edu> wrote:
>
>
>
>> Do you have documentation of SAML assertion delegation in IDP3?
> Nope.

It's on my TODO list to write something up in the wiki.  Due to the
holiday next week, I don't know how much I will be able to get done
before the first week or so of December.

In the meantime: If you weren't familiar with the original v2 extension
stuff that we did, and the SAML delegation solution in general, you
could start by getting familiar with the original writeup that Scott did
back then. [1]  The message flows and on-the-wire technical requirements
have not changed.

The main thing that really changed in the new IdP core 3.2.0 impl is the
various policy control bits one configures for the relying party(s)
involved in delegation, which are mentioned in the "IdP Change
Proposals" section, mostly item #1 there. [2]  If you're feeling
motivated (brave?), you can take a look at the relevant Java classes for
properties you'd set via native Spring wiring [3] and [4].  And if using
legacy config, look at the schema. [5]

Note: There is a piece of software that we do *not* supply that is
necessary to actually implement delegation for a specific application
use case.  This is the delegation-aware ECP client + HTTP user agent
that sits on an SSO SP, and which mediates the HTTP requests to a
backend SAML SP resource (called Web Service Provider WSP in the
document).  For the original extension work back in 2009, someone did a
Java implementation of such a client for the Java-based uPortal
application, but I suspect it's quite out of date at this point (IIRC
based on now-defunct Apache Commons HttpClient v3).  But the main point
is it needs to fit with the platform/stack of the app running on your
SSO SP; so if it's Java/Python/PHP/Ruby/etc, you need such a ECP
client+agent written in the appropriate technology.


[1] https://spaces.internet2.edu/display/ShibuPortal/Home
[2] https://spaces.internet2.edu/display/ShibuPortal/IdP+Change+Proposals
[3]
http://svn.shibboleth.net/view/java-identity-provider/trunk/idp-saml-api/src/main/java/net/shibboleth/idp/saml/saml2/profile/config/BrowserSSOProfileConfiguration.java?view=markup
[4]
http://svn.shibboleth.net/view/java-identity-provider/trunk/idp-saml-api/src/main/java/net/shibboleth/idp/saml/idwsf/profile/config/SSOSProfileConfiguration.java?view=markup
[5]
http://svn.shibboleth.net/view/java-identity-provider/trunk/idp-schema/src/main/resources/schema/shibboleth-relying-party-saml.xsd?view=markup
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151119/fc5ef8b4/attachment-0001.html>

More information about the users mailing list