Development notes on ShibADFS interop...
Request from Resource STS (SP) to Requestor STS (!IdP)
GET/Redirect with query string:
$ wtrealm (providerId): required URI identifying resource realm
$ wreply (shire): optional URL to POST security token back to
$ wctx (target): optional string to be returned with security token
$ wct (time): optional UTC timestamp string, some IdPs can require it, so we should always send it
Response from Requestor STS (!IdP) to Resource STS (SP)
POST with form:
$ wresult (SAMLResponse): Literal encoded RequestSecurityTokenResponse XML fragment
$ wctx (TARGET): optional string returned with security token
Concepts
- Incoming SAML attributes are mapped to Organization Claims and then exported to Applications, similar to an AttributeAcceptancePolicy
- Uses _LSRealm cookie on the Resource Realm side after successful token response to local STS to cache the Account STS used by the client. Equivalent to the _saml_idp cookie created by SP if IdPHistory is turned on, in that it tracks not discovery selection but successful authentications.
Implementation
$ Proposed URI for protocolSupportEnumeration and Binding attributes: http://schemas.xmlsoap.org/ws/2003/07/secext
- Significantly enhanced SessionInitiator plugin to select AssertionConsumerService based on support for profiles consistent with the request (i.e. auto-select an ADFS endpoint when sending an ADFS request). Need revisions to IApplication API to improve the efficiency.
- Look at Sun/MS drafts for handling Liberty/WS interop.