1 Reply Latest reply on Nov 27, 2011 2:00 PM by Anil Saldanha

    Custom IDP with LDAP as Identity store

    kenhuangus Newbie

      I have a requirement to expose IDP as web service to other Jboss components such as EPP, EAP, and SOA-P, as well as the SP web application hosted in other Application Server.

       

      How can I configure my IDP to use LDAP as the Identity Store to authenticate the user if it is the first time the user has requested the access. The idea is the followig:

       

      1) User access an page at SP website hosted in a web container which may run on one of the enterprise flavor of Jboss (EAP, EPP, SOA-P, EWS etc).

       

      2: The SP website has configured to use IDP hosted at another web container (ideally run on SOA-P for maximum secuirty) and when the user has not authenticated, the IDP will redirect user to enter Id and password.

       

      3: The user enter ID and Password, this info is sent to IDP. IDP checks LDAP and get a user profile. IDP then package the user profile information into a SAML Token and send to SP as SAML response with either Hold of key or Sender Vouch confirmation.

       

      4: SP validate the SAML token and extract the necessay information from the token to make access control decision.

       

       

      5: User decides to go to another SP which also use the same IDP.

       

      6: Since IDP alread has the SAML token created, IDP will not need to redirect and post the login page, instead, the IDP will send the SAML response back.

       

      I personally believe that it is the use case that Picketlink shall support out of box, but was not able to find any document on how to do so. I may have missed something and need the following information.

       

      1: How can I configure LDAP as the default Login module for my IDP?

       

      2: Where is generated SAML token stored  and then reused for the next authN request (we need to scale up to more than 10 million users)? Can I configure IDP to store SAML token in external database for scalibility?

       

      3: For this use case, would STS be an alternative? If so, how can I configure the same in STS?

       

      Any hints on this would be greatly apprecited.

       

      Ken Huang

        • 1. Re: Custom IDP with LDAP as Identity store
          Anil Saldanha Master

          kenhuangus wrote:

           

          I have a requirement to expose IDP as web service to other Jboss components such as EPP, EAP, and SOA-P, as well as the SP web application hosted in other Application Server.

           

          How can I configure my IDP to use LDAP as the Identity Store to authenticate the user if it is the first time the user has requested the access. The idea is the followig:

           

          1) User access an page at SP website hosted in a web container which may run on one of the enterprise flavor of Jboss (EAP, EPP, SOA-P, EWS etc).

           

          2: The SP website has configured to use IDP hosted at another web container (ideally run on SOA-P for maximum secuirty) and when the user has not authenticated, the IDP will redirect user to enter Id and password.

           

          3: The user enter ID and Password, this info is sent to IDP. IDP checks LDAP and get a user profile. IDP then package the user profile information into a SAML Token and send to SP as SAML response with either Hold of key or Sender Vouch confirmation.

           

          4: SP validate the SAML token and extract the necessay information from the token to make access control decision.

           

           

          5: User decides to go to another SP which also use the same IDP.

           

          6: Since IDP alread has the SAML token created, IDP will not need to redirect and post the login page, instead, the IDP will send the SAML response back.

           

          I personally believe that it is the use case that Picketlink shall support out of box, but was not able to find any document on how to do so. I may have missed something and need the following information.

           

          1: How can I configure LDAP as the default Login module for my IDP?

           

          2: Where is generated SAML token stored  and then reused for the next authN request (we need to scale up to more than 10 million users)? Can I configure IDP to store SAML token in external database for scalibility?

           

          3: For this use case, would STS be an alternative? If so, how can I configure the same in STS?

           

          Any hints on this would be greatly apprecited.

           

          Ken Huang

          The IDP is a secured web application. Use the standard JBoss ldap login modules.

           

          The IDP underneath uses the STS to generate the tokens.  There is a token registry concept in the STS. You may want to code in a ldap token registry.