/
ShibADFSNotes

The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

ShibADFSNotes

Owned by Scott Cantor
Last updated: Dec 22, 2006Version comment

Development notes on ShibADFS interop...

Request from Resource STS (SP) to Requestor STS (!IdP)

GET/Redirect with query string:

$ wtrealm (providerId): required URI identifying resource realm
$ wreply (shire): optional URL to POST security token back to
$ wctx (target): optional string to be returned with security token
$ wct (time): optional UTC timestamp string, some IdPs can require it, so we should always send it

Response from Requestor STS (!IdP) to Resource STS (SP)

POST with form:

$ wresult (SAMLResponse): Literal encoded RequestSecurityTokenResponse XML fragment
$ wctx (TARGET): optional string returned with security token

Concepts
  • Incoming SAML attributes are mapped to Organization Claims and then exported to Applications, similar to an AttributeAcceptancePolicy
  • Uses _LSRealm cookie on the Resource Realm side after successful token response to local STS to cache the Account STS used by the client. Equivalent to the _saml_idp cookie created by SP if IdPHistory is turned on, in that it tracks not discovery selection but successful authentications.
Implementation

$ Proposed URI for protocolSupportEnumeration and Binding attributes: http://schemas.xmlsoap.org/ws/2003/07/secext

  • Significantly enhanced SessionInitiator plugin to select AssertionConsumerService based on support for profiles consistent with the request (i.e. auto-select an ADFS endpoint when sending an ADFS request). Need revisions to IApplication API to improve the efficiency.
  • Look at Sun/MS drafts for handling Liberty/WS interop.