Hi
Colm and myself have been working recently on the initial support for
the SAML-based Web SSO support on the Service Provider (SP) side.
What we've got at the moment is the filters which can enforce the
security context and redirect via GET or POST to the IDP, validate
SAMLResponse and set the security context.
There's still a bit of work that needs to be completed, to do with the
better security context population on the actual application path, more
sophisticated support for the session management, supporting the
delegation of the SAMLResponse validation. Then going forward we can
think about the logout support, artifact resolution support, etc, etc...
Right now, the code lives in rt/rs/security/xml, I started prototyping
the code there simply because it already contained the support for
SAML-based validation of SAML assertions, etc.
However, given a number of enhancements that are expected to be added
for the SSO-based support, we thought with Colm that it would make sense
to move the relevant code to its own dedicated module. As I said earlier
I believe this code should work with different IDPs, so for now I'm not
sure that it should be moved to the Fediz sub-project. I guess the
possibility of moving to Fediz can be reviewed later on again, but right
now I'd suggest creating a module such as
cxf-rt-rs-security-sso-saml
under rt/rs/security/sso/saml
with the idea that perhaps some other SSO techologies will be supported
at the CXF RS level in the future
Comments are welcome.
Cheers, Sergey
