Handling Token and Key requirements at Run Time, Part III: select STS at run time

In general, you may need to supply your own STSIssuedTokenConfiguration in following cases:


  1. The client has to go through multiple STS in a trust chain across security domains to
    access the service.

  2. The client needs to select the STS and/or to provide token and key parameters to the STS
    at run time, according to which service it tries to access and the requirement from the service.

To create a custom configuration class which extends STSIssuedTokenConfiguration:


  1. You may get the targeted service endpoint at run time through
    getOtherOptions().get(STSIssuedTokenCOnfiguration.APPLIES_TO).

  2. Similarly, you may get an instance of STSIssuedTokenConfiguration, which captures entries
    from the IssuedToken policy assertion for the targeted service, through
    getOtherOptions().get(STSIssuedTokenCOnfiguration.ISSUED_TOKEN).

  3. The entries in the IssuedToken policy and in the client side PreConfiguredSTS take high
    priorities which cannot be override at run time.

  4. Different run time entries should be supplied for different services.

To illustrate the usage, we provide a new sample
in Metro. Here is a description of this rather comprehensive sample:


  1. There are four parts in the sample: a service, (server side) STS, (client side) MySTS, the client.

  2. Service - An IssuedToken policy assertion for the service specifies that an issued
    SAML token from the (server side) STS is required for the client to access the service and
    the issued token should contain Role of the user.

  3. STS - An IssuedToken policy assertion for the STS specifies that an issued SAML token
    is required for the client to access the STS but no Issuer (sts endpoint and/or sts mex address)
    and Claims are specified. A custom STSAttributeProvider is used to
    process the SAML assertion and set attributes for the new SAML assertion.

  4. Client - the client supplies a run time STSIssuedTokenConfiguration which specifies that,
    for accessing STS, an issued token from MySTS which contains both Role and Locality information
    is required. Check here for the sample configuration class.

  5. In this sample, we use call back handlers instead of locations to configure KeyStore and TrustStore
    for both the STS. This gives you the great flexibility for managing certificates and keys at run time.

  6. Pay special attention to the classes in the common directory. These classes illustrate how
    you can extend Metro to build custom solutions in various ways.
Comments:

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on May 31, 2009 at 09:46 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on May 31, 2009 at 09:54 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on May 31, 2009 at 09:57 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on May 31, 2009 at 10:02 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on May 31, 2009 at 10:06 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on May 31, 2009 at 10:10 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on May 31, 2009 at 10:17 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on May 31, 2009 at 10:21 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on May 31, 2009 at 10:32 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on June 02, 2009 at 07:21 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on June 02, 2009 at 07:27 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on July 06, 2009 at 10:34 PM PDT #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on July 07, 2009 at 05:45 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jiandong Guo

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today