By Damien Carru on Apr 14, 2014
In this article, I will show how to enable and implement Authorization Policies for Federation SSO when OIF is acting as an IdP.
When OIF authenticates a user on behalf of remote SAML / OpenID 2.0 partners, it will issue a token (SAML or OpenID) containing information about the user that the partner will consume to identify the user. As a part of the creation of the token, OIF/IdP can be configured to evaluate a Token Issuance Policy that will indicate if the user is allowed to perform Federation SSO with that particular SP/RP.
The Token Issuance Policy will be constructed with:
- The SP Partner Name as the resource
- One or more constraints
- The true constraint which is used to indicate that OIF/IdP should issue tokens for all users for the SP partners listed in the policy
- The Identity constraint made of
- List of users: OIF/IdP will ensure that the user performing Federation SSO between OIF and the remote SP belongs to that list
- Or list of groups: OIF/IdP will ensure that the user performing Federation SSO between OIF and the remote SP belongs to a group listed in the constraint
Enjoy the reading![Read More]