StumbleUpon | Hobbadehoy's favorites

Loading...

11 May 2009

Don't use PostAuthentication Plugin in SUN Access Manager with the SAML2 plugin

I just got it confirmed from my support contact at SUN.
I have implemented the AMPostAuthProcessInterface at a ServiceProvider to retrieve the SSOToken properties set by the SAML2 plugin from the SAML2 assertion sent from the IdentityProvider.
(I'm using SUN Access Manager 7.1 with the SAML2 plugin)

I have to convert one of the properties retrieved from one format to another, and I thought that the AMPostAuth plugin would be the best place to do it. But the problem is this:
- The SAML2 plugin sets the properties on the SSOToken after the user is logged in and the PostAuthentication plugin is called.

My support contact told me to use the SAML2ServiceProviderAdapter SPI instead. :(

This is the mail recieved from sun support:
Hello M Berner,

if it is the case then I can confirm you (after have double checked
with engineering) that if you are you trying to obtain those
attributes in Post Auth process for SAML2 auth module, that won't work
as SP sets those attributes to session/SSOToken after Post Auth
process is already done.
One way to accomplish this is to use SAML2ServiceProviderAdapter SPI.
You could then retrieve the attributes in public boolean
postSingleSignOnSuccess() method.

Kind Regards,


UPDATE 12.05.2009:


I searched and search for the SAML2ServiceProviderAdapter SPI, but it dosn't exist in the SUN Access Manager, only in OpenSSO. Here is sun supports response to that:

Hello M Berner,

you are right,forgot about that. I am working a lot with OpenSSO at
the moment and sometimes mix things. My apologies for that.
As you said this SPI is not in SAML2 plugin.
If the end SP application cannot obtain the attributes from SSOToken,
one other way to do this is to write a servlet/jsp at SP side to
retrieve the attributes and send it to SP application.
Configure the servlet to SP extended meta with attribute
"intermediateUrl".
The flow would be something like this:
- SP receives assertion;
- SP creates SSOToken and set attributes to SSOToken;
- The browser is redirected to this custom servlet/jsp is called,
attributes are retrieves from SSOToken and sent to SP app;
- The browser is redirected to the final SP app url

Kind Regards,

Labels:

Posted by Arne Berner at 11.5.09

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)