Friday May 08, 2009

OpenSSO Fedlet Wins European Identity Award


Fedlet started out as "SAML2 lightweight SDK" 2 years ago with a small prototype with a UI to show levels of integration points. I recall Jamie demonstrating the prototype to customers in Canada and the surprisingly strong positive reactions it got. Congratulations to the Sun Federation team for productizing this into the neat concept it is today, to our friends in Canada (you know who you are) and to our energetic marketing team for coming up with the catchy "Fedlet" name.
I wonder if things would have been the same if we had kept the original "SAML2 lightweight SDK" name; likely not !! My lesson on how it takes a entire team to make anything successful.
Reall all about it here : http://www.id-conf.com/blog/2009/05/07/awards-for-outstanding-identity-management-projects/

Sunday Dec 07, 2008

.Net Fedlet (Prototype)


As I was revving up SecureAttrs C# api, stumbled upon .Net apis to perform XML signing and verification, and that lead to a usable Fedlet prototype for .Net environments.

To test drive it :
  • Download saml2.dll and sample fedlet.aspx.
  • Deploy them to your IIS server. ( I copied SAML2.dll to BIN and fedlet.aspx to c:\\Inetpub\\wwwroot )
  • Execute "Create Fedlet" Task on OpenSSO serving as IDP - point it to your IIS Server that will execute the Fedlet. E.g. : http://www.spp.com/fedlet.aspx. While you are on the console you may setup a attribute mapping to pass some user profile attributes such as cn, mail, employeeNumber etc from IDP to the Fedlet as part of SSO.
  • Export IDP public key and copy it to C:\\fedlet\\idp.cer
    cd <opensso_configdir>/<opensso_deploy_uri;>
    keytool -export -keystore keystore.jks -alias test -file idp.cer
  • Test : On a browser, invoke the fedlet : http://www.spp.com/fedlet.aspx. It will prompt you for IDP (OpenSSO) url. A URL representing IDP initiated SAML2 SSO is generated and shown as a link. Click on the link to initiate SSO. When prompted for autentication on the IDP end, try the demo user (password : changeit)

    Processing rules implemented :
  • IDP initiated SAML2 POST profile (Unsolicited AuthN Response)
  • verification of XML signature
  • verification of IDP entity id.
  • NotOnOrAfter rule
  • Single-use-assertion

    Work to be done :
  • Audience restriction and other SAML Conditions procesing rules
  • Option to verify signature via IDP public key stored locally
  • AuthNRequest for SP initiated SSO
  • Single Logout.
  • Support for multiple IDPs

    Code will be checked into the OpenSSO source repository shortly after it is reviewed, etc.
    fedlet.aspx demonstrates a simple C# SAML2 api, modelled after the Java Fedlet API. Feedback most welcome.
  • About

    rajeev

    Search

    Categories
    Archives
    « April 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
       
           
    Today