There are two services A and B connected to Ipsilon. User authenticates to service A and then service A makes a call to service B on behalf of the user. To accomplish this service A should be able to take SAML assertion acquired for user and use it to get an assertion for service B.
This sounds like Kerberos S4U2Proxy, but for SAML. The authentication response can be made available to a SP by enabling MellonSamlResponseDump in mod_auth_mellon. We would need to have a new login plugin in Ipsilon that can take this as a credential so that SP1 can attempt to access SP2, then provide the authentication response for SP1 as it's credential with authenticating to Ipsilon.
There would also need to be some policy if we want to constrain which services are allowed to perform delegation.
milestone: => Backlog
Metadata Update from @nkinder:
- Issue set to the milestone: Backlog
to comment on this ticket.