OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Simplest-to-deploy java SAML idp?

Hi Scott,

For now, it will be pretty much the scenario outlined in this diagram on the SAML2.0 article on wikepedia:


1) User reqeusts a service on web site A
2) User is forwarded to web site B (which must be branded, must be able to look however we want it to look), which has a login form
3) User logs in
  - Login is handled a bit of convoluted java code which queries multiple databases, looks for the user on multiple systems
4) User's browser is redirected via POST to web site A, where s/he is now "logged in". In addtion to saying "this user is allowed access", the post submission should communicate some user-profile information (for now, just email address)

I think the best solution for now is the absolute simplest solution I can get away with.

Any thoughts on the best package for me to use are very much appreciated!


On Mon, Dec 29, 2008 at 2:58 PM, Scott Cantor <cantor.2@osu.edu> wrote:
> Yeah, I'm aware of that, and while not ideal, that may be acceptable. I'm
> not enthuastic about coaxing our sysadmins through the edits to the jre's
> security stuff that might be required though:

Then you can forgo any back-channel protocols with client TLS
authentication, or just don't rely on a Java web server (which means you
need Apache, meaning a different level of sysadmin involvement). There are a
variety of trade-offs.

You haven't described what actual use cases involving SAML you need, so
without knowing that in some detail, it's hard to identify what the actual
IdP requirements are (independent of Shibboleth per se).

-- Scott

(646) 206-8337

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]