Changes between Version 13 and Version 14 of proposals/ImprovedSecurityArchitecture
- Timestamp:
- 12/15/10 09:52:25 (14 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
proposals/ImprovedSecurityArchitecture
v13 v14 210 210 * HTTP-POST and HTTP-Redirect bindings 211 211 * Automatic generation of Service Provider metadata 212 * Configuration of multiple !IDPs212 * Configuration of multiple IDPs 213 213 214 214 GAAP support for SAML can function in one of the two modes of IDP discovery: … … 219 219 SP-initiated flow is to say, the user's Single Sign-On identity is created by the user starting at the GeoNetwork (the Service Provider). GAAP's login form shows a list of all trusted Identity Providers; the user can choose one, and upon submit is redirected to that Identity Provider's login form. After authentication at the Identity Provider the user comes back to GeoNetwork. 220 220 221 !IDP-initiated flow is when the user has already authenticated with a trusted Identity Provider when doing a request to GeoNetwork; in this case the request carries a SAML Authentication token that is validated by GAAP and if valid, allows the user Single-!SignOn access to GeoNetwork.222 223 The !AuthNRequest SAML message is sent to the !IDP using either HTTP-POST or HTTP-Redirect binding and the request is stored in the cache for subsequent matching with the response.221 IDP-initiated flow is when the user has already authenticated with a trusted Identity Provider when doing a request to GeoNetwork; in this case the request carries a SAML Authentication token that is validated by GAAP and if valid, allows the user Single-!SignOn access to GeoNetwork. 222 223 The AuthNRequest SAML message is sent to the IDP using either HTTP-POST or HTTP-Redirect binding and the request is stored in the cache for subsequent matching with the response. 224 224 225 225 All configured IDPs are considered to be members of a single circle of trust. … … 227 227 The SAML Single log-out profile is currently not supported, invocation of logout at will only destroy the local session. 228 228 229 A UML Activity diagram giving a view of how GAAP manages a SP-initiated !WebSSO is:229 A UML Activity diagram giving a view of how GAAP manages a SP-initiated WebSSO is: 230 230 231 231 [[Image(SAMLAuthenticationActivity.png)]] 232 232 233 1. When the user selects an IDP in GAAP login to validate against it, SAMLEntryPoint sends to the IDP an AuthNRequest SAML message . 234 2. A SAML response created by the IDP is send to a GAAP URL, monitored by SAMLProcessingFilter that parses the SAML message wrapping it into SAMLAuthenticationToken. 235 3. The SAMLAuthenticationProvider validates the SAMLAuthenticationToken and 236 4. If the validation succeeds a Spring !AuthenticationToken is created and the flow continues to create the GAAP !AuthenticationToken as described previously. 237 238 Because we support SAML 2.0, not SAML 1.1 or earlier, you can only use Shibboleth 2.0, not earlier versions. 233 239 234 240 === Backwards Compatibility Issues ===