java - Authorization using shibboleth sso -
we have integrated shibboleth web sso our application authenticate user, want authorization our application. below process thinking authz.
- according shibboleth idp, unauthenticated user redirects login.jsp idp
- once user enters username , password, page going our database , authenticates user valid or not. here want permissions user if authenticated.
- now again user redirects idp some information along permissions, idp redirects our service provider permissions, no can control authorization users. here came know have deal attribute-resolver.xml, right using principle , transientid in xml. know requierd info(permissions) saml response shibboleth idp.
so please tell me, how deal attribute-resolver.xml add our permissions authorization. imp question: what better process authorization using shibboleth?
kindly following flow following... authentication flow idp , writing our own sp. 1) below encodesaml request going idp following:
public pair<string,string> getsamlrequest(string spurl, string consumerurl) { authnrequest authnrequest = null; //string encodedsamlrequest = null; pair<string,string> encodedsamlrequest = null; try { authnrequest = this.buildauthnrequestobject(spurl, consumerurl); encoder encoder = encoder.getencoder(); encodedsamlrequest = encoder.encodeauthnrequest(authnrequest); } catch (marshallingexception e) { e.printstacktrace(); } catch (ioexception e) { e.printstacktrace(); } return encodedsamlrequest; } private authnrequest buildauthnrequestobject(string spurl, string consumerurl) { issuer issuer = getissuer(); issuer.setvalue(spurl); datetime issueinstant = new org.joda.time.datetime(); requestedauthncontext requestedauthncontext = getrequestedauthncontext(); authnrequest authrequest = getauthnrequest(issueinstant, issuer, consumerurl, spurl); authrequest.setrequestedauthncontext(requestedauthncontext); string systemtime = system.currenttimemillis() + ""; authrequest.setid("ssoidsamlreq" +systemtime); authrequest.setversion(samlversion.version_20); authrequest.setassertionconsumerserviceindex(1); return authrequest; } 2) first time idp redirects user login.jsp using configuration in handler.xml using externalauth <ph:loginhandler xsi:type="ph:externalauthn" externalauthnpath="/external/login" supportsforcedauthentication="true" > <ph:authenticationmethod>urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport</ph:authenticationmethod> </ph:loginhandler>
-->once comes above mentioned path user able see login.jsp , user enter credentials , submitting our server validate user. boolean variable whether user valid or not.
-> once got status our server preparing request , response following send idp again(authenticationengine.returntoauthenticationengine(req,resp)).
request.setattribute(globalstrings.getforceauthn(), false); principal principal = new usernameprincipal(login.getattributes()); subject subj = new subject(); subj.getprincipals().add(principal); request.setattribute(loginhandler.principal_key, principal); request.setattribute(loginhandler.principal_name_key, personid); request.setattribute(loginhandler.subject_key, subj); request.setattribute(globalstrings.getauthnmethod(), this.authenticationmethod); authenticationengine.returntoauthenticationengine(request, response); 3) mention in attribute-resolver , attribute-filter attributes released sp below <resolver:attributedefinition id="principal" xsi:type="principalname" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> <resolver:attributeencoder xsi:type="enc:saml2stringnameid" /> <resolver:attributeencoder xsi:type="saml2base64" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="org_attribute_64" /> <resolver:attributeencoder xsi:type="saml2string" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="org_attribute" /> </resolver:attributedefinition>
4) released required attributes sp(saml response) , further processing(authorization).
do own , operate idp? if not, don't have access attribute-resolver.xml
, must lookup attributes in database when application receives principal data.
attribute-resolver.xml
how idp gets attributes may relevant multiple applications. attributes resolved if application not allowed receive particular attribute. if own idp, , think attribute relevant, means, load in idp , read out when application receives saml response idp.
this matter of design, , different designs better different use cases. also, more complex permissions data, more app should handle it.
Comments
Post a Comment