On Thu, Jul 1, 2010 at 3:08 PM, Suresh Attanayake <sur...@wso2.com> wrote:
> Hi, > > Tyrell, Prabath, Thilina and I currently working on implementing SSO for > gadgets. We have come up with some difficulties and looking for any > assistance we can get. > Here what we are doing: > > - Every WSO2 product supports SAML2 based SSO. (This is already done) > - And our services can be SAML2 protected so that any client trying to > access these services has to provide a valid SAML2 token. ( Thilina is > working on this module for services) > - So when a gadget try to access a service, it has to provide a valid > SAML2 token to the service. > - A gadget can get a valid SAML2 token in following ways as we > discussed. > > > 1. *Pass the same token given to the Gadget Server to gadgets.* > In this case each and every gadget in the portal and the gadget server > will use the same SAML2 token which is given to the Gadget Server. > But, still we couldn't find how to pass the gadget server's token to > gadgets. > 2. *Each and every gadget will act as a SAML2 consumer.* > In this case each and every gadget will act as a SAML2 consumer and has > to be authenticated by the *IS *individually. > In this case, > > > - Gadgets has to generate a message called* <AuthnRequest>* and send it > to the Identity Server for authentication. > - This <AuthnRequest> message must contain 3 URLs as follows > > - Redirection URL : The URL of the Identity Server > - Issuer URL : The URL of the sender who generates and sends the > <AuthnRequest> message. > - Consumer URL : The Identity server sends the *<Response> *message > to this URL. Identity server Sends this <Response> message after > processing > the <AuthnRequest> message indicating the success/ failure etc of the > authentication. > > We are confused about the* Issuer URL* and the *Consumer URL. *Because, > anything acting as a SAML2 consumer should have these URLs. but gadgets do > not have any URLs. > Actually it is not mandatory to have a Consumer URL or a Redirection URL in the request. Having issuer URL in the request is sufficient, given that the corresponding issuer is registered at the Identity Provider end. As we have discussed yesterday, it was planned to generate these requests using a servlet. Similarly you can host a different servlet which can act as the Assertion Consumer URL. And you can associate the incoming SAML Response with the corresponding gadget using the RELAY_STATE param which is sent/received with each HTTP redirect. Thanks, Thilina > > Currently we are trying to figure out how Oauth has achieved this. We will > be grateful if we could get any assistance with this. > > Thanks,,, > Suresh.../ > -- Thilina Mahesh Buddhika Senior Software Engineer WSO2 Inc. ; http://wso2.com lean . enterprise . middleware phone : +94 77 44 88 727 blog : http://blog.thilinamb.com
_______________________________________________ Carbon-dev mailing list Carbon-dev@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
