Sunday Dec 07, 2008

.Net Fedlet (Prototype)


As I was revving up SecureAttrs C# api, stumbled upon .Net apis to perform XML signing and verification, and that lead to a usable Fedlet prototype for .Net environments.

To test drive it :
  • Download saml2.dll and sample fedlet.aspx.
  • Deploy them to your IIS server. ( I copied SAML2.dll to BIN and fedlet.aspx to c:\\Inetpub\\wwwroot )
  • Execute "Create Fedlet" Task on OpenSSO serving as IDP - point it to your IIS Server that will execute the Fedlet. E.g. : http://www.spp.com/fedlet.aspx. While you are on the console you may setup a attribute mapping to pass some user profile attributes such as cn, mail, employeeNumber etc from IDP to the Fedlet as part of SSO.
  • Export IDP public key and copy it to C:\\fedlet\\idp.cer
    cd <opensso_configdir>/<opensso_deploy_uri;>
    keytool -export -keystore keystore.jks -alias test -file idp.cer
  • Test : On a browser, invoke the fedlet : http://www.spp.com/fedlet.aspx. It will prompt you for IDP (OpenSSO) url. A URL representing IDP initiated SAML2 SSO is generated and shown as a link. Click on the link to initiate SSO. When prompted for autentication on the IDP end, try the demo user (password : changeit)

    Processing rules implemented :
  • IDP initiated SAML2 POST profile (Unsolicited AuthN Response)
  • verification of XML signature
  • verification of IDP entity id.
  • NotOnOrAfter rule
  • Single-use-assertion

    Work to be done :
  • Audience restriction and other SAML Conditions procesing rules
  • Option to verify signature via IDP public key stored locally
  • AuthNRequest for SP initiated SSO
  • Single Logout.
  • Support for multiple IDPs

    Code will be checked into the OpenSSO source repository shortly after it is reviewed, etc.
    fedlet.aspx demonstrates a simple C# SAML2 api, modelled after the Java Fedlet API. Feedback most welcome.
  • Wednesday Nov 08, 2006

    Learn the Power of Federation in 5 days

    Sun's Training Team has put together an excellent course on Federation : Federation Boot Camp. Its quite comprehensive starting with basic concepts to hands on labs for the cool "a-ha!" experience.
    The best part is that its not a dull protocols and xml exercise - its designed around real customer use cases and actually helps you decide which of the several possible deployments are most applicable for your particular situation.
    And ofcourse its all based on what I do in my day job : SJS Access Manager and Federation Manager. Please feel free to request enrollment for the next session and for more info : fm-bootcamp AT sun dot com.
    About

    rajeev

    Search

    Categories
    Archives
    « April 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
       
           
    Today