I have a use case that I've only been able to solve with SAML's Artifact Binding. I was wondering if there is a better approach. If not, I was wondering if artifact binding support could be added to picketlink.
Consider the case where Application 1 serves up a Web page that references images from Application 2.
If the user hasn't already logged into Application 2, they will be redirected to the IdP. However, the browser won't post the IdP response to Application 2. It just drops it and images show up as broken links. When I use artifact binding, the IdP redirects back to Application 2 with GET. Using the back channel SOAP request, Application 2 retrieves the SAML token, authenticates the user, and serves up the content.
Is there a better way to solve this problem? I'm currently using the Shibboleth Native SP in front of my application, but I'd like to drop the dependency on native code and Apache.
Replying to the answer failed with an error, so I'm trying to edit the original post....
Thanks for the reply. I'm sorry, but I don't understand your question regarding portals. Are you suggesting that Application 1 proxy the images from Application 2?
I reviewed the REST API documentation that you provided. It looks like it would enable a service account from Application 1 to access Application 2, but it doesn't tie resource requests on Application 2 to the end user. Is that a correct interpretation? Our access control and auditing requirements require that resource access be tied to a user for all of our applications. We can't use service accounts for communication between applications.
The only way I can see making a proxy approach work is to use an WS-Trust with Act-As. We've done that in some other cases when we needed brokered trust. However, that forces me to use SOAP anyway. Also, Application 1 would need to maintain a conversation with Application 2 on behalf of each user to avoid repeated STS calls. This seems like a good deal more trouble than using Artifact Binding.
I would greatly appreciate it if you would consider supporting Artifact Binding in a future release. If I've misinterpreted something that you've said or the REST API, please let me know.
Message was edited by: amdonov