openid webid and wif from peter williams on 2011-04-12 (public-xg-webid@w3.org from April 2011)

From: peter williams <home_pw@msn.com>
Date: Mon, 11 Apr 2011 22:38:23 -0700
To: "'WebID XG'" <public-xg-webid@w3.org>
Message-ID: <SNT143-ds8B3155198A73D26B2CA4892AB0@phx.gbl>

For production reasons (yea, it's not all demos!), we have been WIF enabling
our web applications (IDP, IDP proxy and several SPs). (WIF is Microsoft
websso library, properly engineered to be token and protocol independent).
This is quite easy, as it simply required adding WIF libraries to endpoints
that were working with SAML offloading servers. (This means, the core flows
are already implemented, bar a switch of URI parameters or blob format)

 

Anyways, we were able to play with a fun interaction.

 

We have Google (openid) talking to Microsoft ACS bridge (ws-fedp + claims
transformer) which signs a SAML2 assertion with the key/cert issued by
Henry's myxwiki webid issuer, which is processed by our IDP proxy, which
calls my webid validator class to verify the cert supporting the
assertion's/container's signature, which authorized a session creation on
the IDP, which performs an act of session proxying to an SP site

 

Presumably, I now get lynched by each and every religion, claiming special
knowledge.

 

Now, tomorrow, Im going to turn on our impersonation feature (which is claim
based, already), in which local roles authorize one claimant (evaluated at
the IDP proxy) the rights to impersonate another user, at the SP site!

Received on Tuesday, 12 April 2011 05:38:53 UTC