java - Authorization using shibboleth sso -


we have integrated shibboleth web sso our application authenticate user, want authorization our application. below process thinking authz.

  • according shibboleth idp, unauthenticated user redirects login.jsp idp
  • once user enters username , password, page going our database , authenticates user valid or not. here want permissions user if authenticated.
  • now again user redirects idp some information along permissions, idp redirects our service provider permissions, no can control authorization users. here came know have deal attribute-resolver.xml, right using principle , transientid in xml. know requierd info(permissions) saml response shibboleth idp.

so please tell me, how deal attribute-resolver.xml add our permissions authorization. imp question: what better process authorization using shibboleth?

kindly following flow following... authentication flow idp , writing our own sp. 1) below encodesaml request going idp following:

 public pair<string,string>  getsamlrequest(string spurl, string consumerurl) {         authnrequest authnrequest = null;         //string encodedsamlrequest = null;         pair<string,string> encodedsamlrequest = null;         try {              authnrequest = this.buildauthnrequestobject(spurl, consumerurl);             encoder encoder = encoder.getencoder();             encodedsamlrequest = encoder.encodeauthnrequest(authnrequest);         } catch (marshallingexception e) {             e.printstacktrace();         } catch (ioexception e) {             e.printstacktrace();         }          return encodedsamlrequest;     }  private authnrequest buildauthnrequestobject(string spurl,             string consumerurl) {         issuer issuer = getissuer();         issuer.setvalue(spurl);          datetime issueinstant = new org.joda.time.datetime();         requestedauthncontext requestedauthncontext = getrequestedauthncontext();         authnrequest authrequest = getauthnrequest(issueinstant, issuer,                 consumerurl, spurl);          authrequest.setrequestedauthncontext(requestedauthncontext);         string systemtime = system.currenttimemillis() + "";         authrequest.setid("ssoidsamlreq" +systemtime);                       authrequest.setversion(samlversion.version_20);         authrequest.setassertionconsumerserviceindex(1);         return authrequest;     }  2)  first time idp redirects user login.jsp using configuration in handler.xml using externalauth   <ph:loginhandler xsi:type="ph:externalauthn"                  externalauthnpath="/external/login"                  supportsforcedauthentication="true" >     <ph:authenticationmethod>urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport</ph:authenticationmethod> </ph:loginhandler> 

-->once comes above mentioned path user able see login.jsp , user enter credentials , submitting our server validate user. boolean variable whether user valid or not.

-> once got status our server preparing request , response following send idp again(authenticationengine.returntoauthenticationengine(req,resp)).

request.setattribute(globalstrings.getforceauthn(), false);                 principal principal = new usernameprincipal(login.getattributes());                 subject subj = new subject();                 subj.getprincipals().add(principal);                 request.setattribute(loginhandler.principal_key, principal);                 request.setattribute(loginhandler.principal_name_key, personid);                 request.setattribute(loginhandler.subject_key, subj);                 request.setattribute(globalstrings.getauthnmethod(), this.authenticationmethod);                 authenticationengine.returntoauthenticationengine(request, response);  3) mention in attribute-resolver , attribute-filter attributes released sp below  <resolver:attributedefinition id="principal" xsi:type="principalname" xmlns="urn:mace:shibboleth:2.0:resolver:ad">     <resolver:attributeencoder xsi:type="enc:saml2stringnameid" />          <resolver:attributeencoder xsi:type="saml2base64" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"                                 name="org_attribute_64" />   <resolver:attributeencoder xsi:type="saml2string" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"                                 name="org_attribute" /> </resolver:attributedefinition>  

4) released required attributes sp(saml response) , further processing(authorization).

do own , operate idp? if not, don't have access attribute-resolver.xml , must lookup attributes in database when application receives principal data.

attribute-resolver.xml how idp gets attributes may relevant multiple applications. attributes resolved if application not allowed receive particular attribute. if own idp, , think attribute relevant, means, load in idp , read out when application receives saml response idp.

this matter of design, , different designs better different use cases. also, more complex permissions data, more app should handle it.


Comments

Popular posts from this blog

matlab - "Contour not rendered for non-finite ZData" -

delphi - Indy UDP Read Contents of Adata -

javascript - Any ideas when Firefox is likely to implement lengthAdjust and textLength? -