Discussion:
IdP proxy with shibboleth
Matthieu Huin
2014-10-13 22:08:23 UTC
Permalink
Hello,

I'm looking into the feasability of setting up an IdP proxy between a SAML2 SP and a SAML1.1 IdP. All I could find in terms of documentation or previous experience is this: https://spaces.internet2.edu/display/GS/SAMLIdPProxy and this documentation for OpenAM: https://wikis.forgerock.org/confluence/display/openam/SAMLv2+IDP+Proxy+Part+1.+Setting+up+a+simple+Proxy+scenario

I'd be grateful if anyone could share experiences or documentation on the subject.

Matthieu Huin

***@enovance.com
http://www.enovance.com
11 bis rue roquépine – 75008 PARIS France
--
To unsubscribe from this list send an email to use
Nate Klingenstein
2014-10-13 22:43:42 UTC
Permalink
Matthieu,

I think the feasability will depend on which features of SAML 2.0 you're trying to utilize and how. Most of the best ideas in SAML 1.1 translate directly into SAML 2.0, but not necessarily the other way around. Basically, set up a service provider that protects the authentication endpoint of your identity provider.

I don't think Shibboleth is used for proxying between protocols often, though. simpleSAMLphp is more used in my experience.

Hope this helps,
Nate.
Post by Matthieu Huin
Hello,
I'm looking into the feasability of setting up an IdP proxy between a SAML2 SP and a SAML1.1 IdP. All I could find in terms of documentation or previous experience is this: https://spaces.internet2.edu/display/GS/SAMLIdPProxy and this documentation for OpenAM: https://wikis.forgerock.org/confluence/display/openam/SAMLv2+IDP+Proxy+Part+1.+Setting+up+a+simple+Proxy+scenario
I'd be grateful if anyone could share experiences or documentation on the subject.
Matthieu Huin
http://www.enovance.com
11 bis rue roquépine – 75008 PARIS France
--
--
To unsubscribe from this list send an email to users-***@shibboleth.net
Cantor, Scott
2014-10-13 23:33:57 UTC
Permalink
Post by Nate Klingenstein
I think the feasability will depend on which features of SAML 2.0 you're
trying to utilize and how. Most of the best ideas in SAML 1.1 translate
directly into SAML 2.0, but not necessarily the other way around.
Basically, set up a service provider that protects the authentication
endpoint of your identity provider.
I don't think Shibboleth is used for proxying between protocols often,
though. simpleSAMLphp is more used in my experience.
When the reasons are legitimate and not the usual whining about Java or
Apache, the main reason is that the IdP doesn't include a data connector
for attribute resolution that pulls data from the request attributes set
by Apache. I forgot to get a task defined for that for V3, but I should be
able to knock it out before we ship.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Tom Scavo
2014-10-13 22:45:02 UTC
Permalink
On Mon, Oct 13, 2014 at 6:08 PM, Matthieu Huin
Post by Matthieu Huin
I'm looking into the feasability of setting up an IdP proxy between a SAML2 SP and a SAML1.1 IdP. All I could find in terms of documentation or previous experience is this: https://spaces.internet2.edu/display/GS/SAMLIdPProxy
I wrote that wiki page way back when but it was J.P. Robinson at UAB
who first configured Shibboleth as an IdP Proxy almost 10 years ago, I
believe. It can be done but better tools have appeared in the
meantime. I'm talking about simpleSAMLphp of course, which is
preferred for this type of deployment. All the hub-and-spoke
federations of the EU are based on simpleSAMLphp, AFAIK.
Post by Matthieu Huin
I'd be grateful if anyone could share experiences or documentation on the subject.
We have two such deployments in production today, an OpenID
Connect-to-SAML gateway and a SAML-to-SAML IdP Proxy, both based on
simpleSAMLphp, and both provided by Cirrus Identity. Maybe they have
some documentation on their web site, (http://cirrusidentity.com/) I
don't know.

Hope this helps,

Tom
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...