A Fun New Toy, Part 1
By dgolds on Feb 06, 2007
No, not the carbon fiber bike I've been lusting over. This time, my toy is a fun new site on the web.
SSOCircle is a site developed by Hu Liu, a consultant based in Steinbach, Germany. As it says on SSOCircle's home page, "SSOCircle is for those who want to federate their applications or just want to get some SSO experience. SSOCircle provides a ready to use Identity Provider."
My plate has been very full at work lately - I've been updating the Access Manager training course, AKA AM-3480 for Access Manager 7.1 among other things - but when I saw the February 2 entry on Pat's blog, I couldn't resist giving this thing a try.
Hu Liu has set up a SAML 2.0 identity provider based on the OpenSSO project. It should work with any SAML 2.0-compliant service provider (SP), and there's functionality at SSOCircle to add your own SP to the SSOCircle circle of trust (CoT). For demonstration purposes, I used the the sample service provider site that Pat mentions in his blog entry. This site has already been set up as an SP in the SSOCircle CoT. (Setting up an SP to go in the SSOCircle CoT is now on my "to do" list, and when I get around to doing it, I'll blog about it.) It took all of two minutes to set up my account at SSOCircle and federate with the sample SP site. Here are the steps I followed, if you want to try it out:
- From the SSOCircle home page, I click Login / Register and register as a new user.
- I wait for my registration confirmation e-mail to come back, and when it does, I follow the instructions in it to complete the account registration process.
- I go back to the SSOCircle home page and log in.
- I look at my cookies (because it is always a good idea to look to the cookie) and find a cookie named iPlanetDirectoryPro with a reference to an SSO token - a sure sign that OpenSSO is in the house.
- So at this stage, I'm authenticated with the identity provider, and have the SSO token reference to prove it. Now I go to the SP site. It is important to notice that the page heading reads "ZXID SP Federated SSO (user NOT logged in, no session)."
- I click Login to idp.ssocircle.com (SAML20: Artifact).
- A new screen comes up with the title, "ZXID SP Management (user logged in, session active)."
So, voila, I'm an authenticated user at the SP without having had to log in there. The SP delegated authentication to the IdP. I have an account at the IdP but not at the SP, but I am still able to use the SP's site. That's Internet SSO functionality - one of the basic features of federated identity.
Imagine if you are the administrator at the SP. Your company or organization has established a business relationship with the identity provider that says that you trust anyone who has authenticated to the IdP to let them use your web services. No provisioning, no account maintenance, and - we hope - a very quick ramp up time.
I'll check out the ramp up time - how long it takes me to set up an SP and enter the SSOCircle CoT - in a future entry.