Wednesday Feb 06, 2008
Federated Access Manager TOI, Session 2
This morning was the second session for the Federated Access Manager TOI. Following are the topics covered (with notes).
Session 1 Secure Attribute ExchangeEmily
- Secure Attribute Exchange one-pager on OpenSSO explains it all
- Sample in
path-to-context-root/fam/samples/saml2/saedirectory - No plans to port to IDFF
Bina
- Assertion Query/Request Profile
- Query existing SAML2 assertions based on specific criteria (authentication context, assertion identifier, etc.)
- Query initiator is the SAML Requester
Initiates the profile by sending a query message to SAML authority - Responder is the SAML Authority
Validates and processes the query to issue a response - Supports:
- Attribute Query (request attributes from a specific identity - successful response is assertion containing requested attributes) Basic Attribute and X509 Subject Attribute Queries
- Authentication Query (request assertion for a principal based on the authentication context - successful response is assertion(s) containing the authentication statements available to the principal)
Supports SOAP only - Assertion Query (request existing assertion(s) using assertion(s) identifier - assertion must be cached)
- Authorization Decision Query (asks if a certain resource is accessible to a particular principal - made to authorization authority/policy engine)
XACML authzn decision is an extension of this
- Enhanced Client or Proxy (ECP)
- Specifies interactions between enhanced clients or proxies (eg. HTTP proxy) and SPs and IDPs
- ECP acts as a SOAP intermediary between the SP and IDP
- SSO Profile with PAOS Binding
- FAM 8.0 SAMLv2 IDP and SP are able to process request received from ECP
- Arrow of step 6 should be going the other way and some type of authentication is required between 5 and 6
- FAM 8.0 SAMLv2 IDP and SP can process request received from ECP
- ECP Client included as part of Opensso Extensions not FAM - can be used for testing
- Proxy Version (HTTP)
- Java Based Version (HTTPs)
- Name Identifier Management
Allows the change of principal's name identifier (shared between IDP and SP) after federation (possibly for security purposes or maybe IDP has a timing rule)- IDP can issue a
ManageNameIDRequestto the SP to change the name identifier shared between them from a previous SSO - SP can issue a
ManageNameIDRequestto attach an alias to its Principal ManageNameIDResponseis returned after processing the request- Subsequent communication between SP & IDP will use the new name identifier
- IDP can issue a
- Name Identifier Mapping
- POST Binding
Added support for POST binding for a number of profiles- Web SSO Profile
- Single Logout Profile
- Name Identifier Management
- Name Identifier Termination
- Affiliations is a feature not a profile - will be implemented with SAML2 but will be very close to what we already have for IDFF
Pat
- ***URL encoding
- WS-* spec for SSO
- Web (Passive) Profile similar to SAML (browser based SSO)
- Changed name to Web (Passive) for 1.1
- Token type is abstract
- Exchange based on WS-Trust
- Relies on username in AD and FAM8
- WS-Federation specs
- Microsoft Step-by-Step Guide for Active Directory Federation Services
- OpenSSO WS-Federation How-To
Dilli
- Represents access control policies, requests and response to get polices and authzn decisions
- XACMLv2.0 current standard
- Support SAML2 profile of XACML
- XACMLAuthzDecisionQuery
- XACMLAuthzDecisionStatement
- Aravindan says should be doc'ed under Policy
- Sample in
path-to-context-root/fam/samples/sdkdirectory - XACML Design Doc
Wei
- IDP proxy is one entity that acts as both IDP and SP
- In wei -> ping -> jamie example, ping is IDP proxy
- Supports:
- SSO
- SSO with IDP disco service
- SLO
- IDP proxy supports chaining
useIntroductionforIDPproxyattribute is to turn on Disco Service- #1 use case in slides is the default
Wei
Support for IDFF, SAML2, WS-Fed in one circle of trust
- Enables a circle-of-trust to contain entities supporting different kind of federation protocols
- Enables SSO and SLO to work across heterogeneous protocols within the same circle-of-trust - mainly to enable SSO and SLO for the same session shared among different ID-FF/SAML2/WS-Federation IDPs hosted on the same FAM instance
- Sample included in which user will create a circle of trust containing one multi-federation protocol Identity Provider instance and three Service Provider instances speaking ID-FF, SAMLv2 and WS-Federation protocol
Aravindan
- Allow developers to invoke FAM without knowledge of product
- Developer uses php et al and may not need our client API
- Use IDE to implement in your application
- WSDL URL used in IDE
- REST URL used with scripting languages
- Change name of feature
Posted at 04:41PM Feb 06, 2008 by Michael Teger in Sun | Comments[0]
Comments: