Dec 17th, 2012, 04:24 AM
Federation support for Spring security
I'm looking in adding support for WS-Federation Passive Requestor Profile for Spring. As for now, the Apache Fediz subproject supports that on the container level. The approach of this SSO concept is that unauthenticated requests are redirected to a central IDP component (as provided by Fediz) which does the authentication. Finally, a SAML token is issued and posted to Jetty via the browser. The token is validated and a session is created.
As a first step, I can combine Fediz on the container level and Spring security with the preauth feature. I was thinking in adding the support to transform the saml attributes into GrantedAuthority.
Next step, I'd like to integrate Fediz into Spring security itself. I was looking into the code for CAS and think I have to do that very similar like:
- FederationAuthenticationToken which contains the RSTR of the STS
- the SAML attributes are added as GrantedAuthority
Does that sound reasonable? Do I miss anything?
Thanks for your feedback