[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17101051#comment-17101051
]
Cris Rockwell commented on SLING-9397:
--------------------------------------
WRT the Web Profile SSO Profile specification, line 396 states...
??SAML Confirmation Method Identifiers: The SAML V2.0 "bearer" confirmation
method identifier, urn:oasis:names:tc:SAML:2.0:cm:bearer, is used by this
profile.??
And this is manifested in the saml2 response
{{<saml:Subject>}}
{{..}}
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="_498f728a71735ba28bbc19d634517c18"
NotOnOrAfter="2020-04-14T14:33:01.995Z"
Recipient="[https://localhost:2443/sp/consumer"/|https://localhost:2443/sp/consumer]>
</saml:SubjectConfirmation>
Line 364 gives an example about how to use this data. The data above was taken
from an example from my localhost tests on April 14th
The bearer of the assertion can confirm itself as the subject, provided the
assertion is delivered in a message sent to "
[https://localhost:2443/sp/consumer]"; before 14:33 GMT on April 14th , 2020, in
response to a request with ID "_498f728a71735ba28bbc19d634517c18".
When processing the SAML2 Response, this relying party code needs to validate
these three conditions.
> SAML2 Authentication Handler [initial submission]
> -------------------------------------------------
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
> Reporter: Cris Rockwell
> Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
