Issue #113: [RFE] Provide a way to delegate between different services - ipsilon

ipsilon

#113 [RFE] Provide a way to delegate between different services

Opened 9 years ago by dpal. Modified 7 years ago

Use case:

There are two services A and B connected to Ipsilon. User authenticates to service A and then service A makes a call to service B on behalf of the user. To accomplish this service A should be able to take SAML assertion acquired for user and use it to get an assertion for service B.

nkinder commented 9 years ago

This sounds like Kerberos S4U2Proxy, but for SAML. The authentication response can be made available to a SP by enabling MellonSamlResponseDump in mod_auth_mellon. We would need to have a new login plugin in Ipsilon that can take this as a credential so that SP1 can attempt to access SP2, then provide the authentication response for SP1 as it's credential with authenticating to Ipsilon.

There would also need to be some policy if we want to constrain which services are allowed to perform delegation.

nkinder commented 8 years ago

Fields changed

milestone: => Backlog

Metadata Update from @nkinder:
- Issue set to the milestone: Backlog

7 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

Major

Milestone

Backlog

rhbz

None

design_link

None

type

enhancement

component

framework

version

None

sensitive

patch_available

ipsilon

Source Code

#113 [RFE] Provide a way to delegate between different services Opened 9 years ago by dpal. Modified 7 years ago

Close issue as:

Metadata

#113 [RFE] Provide a way to delegate between different services

Opened 9 years ago by dpal. Modified 7 years ago