Hi Ingo, I think it should be feasible to get this scenario working in Fediz. However, the only way I can see it working is if the IDP-A at least knows to send requests for REALM-C to IDP-B for validation, passing through the home realm. Actually I just reviewed the code, and the WS-Federation protocol handler in the IdP doesn't send the realm of the configured TrustedIdp bean as the "whr" / home-realm parameter to the remote IdP. So I've just merged a fix for this.
Colm. On Fri, Feb 19, 2016 at 4:43 PM, Ingo <wolf.work...@gmail.com> wrote: > Dear list, > > Federation of IDPs in multiple realms (realm-a, realm-b) is shown in the > 'simpleWebapp' example of fediz. > Basically the trust-relations in this example are like this: > > - RP-service trusts IDP/STS of Realm-A (operated within the same > security realm) > - IDP/STS-A trusts IDP/STS-B > > Extending the example with another IDP/STS of let's say Realm-C is straight > forward in such way, that HRDS offers 3 choices (Realm-A, Realm-B, > Realm-C). > However, the resulting trust relation is IDP/STS-A has two trusted IDP's (B > and C). It is unclear if and how another setting of trust relations can be > realized, where A and C have no direct trust relation but instead B takes > the role of a trust-broker. So this is the targeted scenario: > > - IDP/STS-A and RP-Service are situated in the same security domain > (realm). > - IDP/STS-B is a trusted IDP of A > - IDP/STS-C is a trusted IDP of B and not known by IDP/STS-A > - IDP/STS-B acts as a broker (eventually doing claims mapping) between > Realm-C and Realm-A > > Does anyone know if this setup is feasible with fediz? > > > > > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/cxf-fediz-advanced-IDP-federation-of-multiple-realms-possible-tp5766065.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
