Bridging the SAML and OAuth 2.0 frameworks is a well understood problem. The following stack of IETF specs provides a standard solution:
If you look at the core OAuth 2.0 spec (RFC 6749) and its token endpoint definition - this is basically an OAuth server endpoint which returns an access token in exchange for a "grant" -- an open-ended concept of something deemed appropriate to grant the client app the issue of an access token. In the typical OAuth scenario this is an authorisation code signifying that the user has been previously authenticated and given their consent. But the grant could also be something else.
There is a further IETF spec called draft-ietf-oauth-assertions-16 that builds on the core RFC 6749 standard which says that the grant can also be an assertion (a signed proof of something) and defines the necessary token request parameters for that.
Finally, there is draft-ietf-oauth-saml2-bearer-20, which specifies how this assertion can be a SAML 2.0 Bearer Assertion.
This standard mechanism for converting a SAML assertion into an OAuth 2.0 access token is essentially all that is needed to bridge the two frameworks.
To ensure removal of users is properly reflected by the authorisation systems there are two approaches, which can be combined:
Make the OAuth 2.0 access tokens short lived. This will force the client to repeat the authorisation process when the token expires, and if the user no longer exists authentication will fail and no grant (SAML assertion) will be issued.
Provide an API for revoking issued OAuth 2.0 access tokens, see RFC 7009 for details.
Contents contributed and discussions participated by munyeco
BIG DATA APPLICATIONS Fast Data: Big Data Evolved - White Paper - 0 views
-
There is a fundamental shift occurring in Big Data, from data at rest to data in motion. In this white paper, Dean Wampler explores the ecosystem that is emerging around Fast Data and provides handy diagrams and code samples to help you:
Announcing dex, an Open Source OpenID Connect Identity Provider from CoreOS - 1 views
-
Another kid on the blocs
zmalltalker/fish-nuggets - 2 views
-
"The fish nuggets project contains various completions and functions for the amazing Fish shell."
wa/oh-my-fish - 1 views
-
"Oh My Fish is an all-purpose framework for the fishshell. It looks after your configuration, themes and packages. It's lightning fast and easy to use."
SystemdForUpstartUsers - Ubuntu Wiki - 1 views
-
ubuntu + systemd + docker !!!! (LPQLP)
Passport - 0 views
-
Passport is authentication middleware for Node.js. Extremely flexible and modular, Passport can be unobtrusively dropped in to any Express-based web application. A comprehensive set of strategies support authentication using a username and password, Facebook, Twitter, and more."
Opensso *INACTIVE PROJECT*: users@opensso.java.net: Archive - Project Kenai - 0 views
-
Hello everybody, I'm developing a custom authentication module. As part of the process I have to redirect the user to a second site and then the second site redirect the user back to the custom module. For this I'm using the RedirectCallback, but while debugging I noticed that the module gets initialized a second time after the users comes back from the second site. I was wondering if this is the expected behavior or if I'm doing something wrong. This is how the callbacks are defined in the xml.
authorization - SAML2 vs. OAuth - What are some reasonable relationships? - Information... - 0 views
-
Es un problemón conocido y con blancos sin estandarizar el juntar SAML 2.0 en cuanto a AuhN y Oauth2 para autorización. Éste post es el mas sintético que encontré con un agregado de valor muy alto: Deja entrever que aunque no sea estándar, el mecanismo es posible, y se basa en convertir una aserción SAML2 en un token de acceso OAuth2. uno puede transliterar ésta propocisión así: "convertir una aserción CLAVE FISCAL en un token de acceso OAuth2". La pregunta es: ¿Que será una aserción CLAVE FISCAL?
Graylog 1.1 Beta is Now Available! - 1 views
-
We are pleased to announce Graylog v1.1 beta is now available and can be downloaded from here. ("All releases" section) The Graylog 1.1 release theme is about usability and ease of management. We refactored parts of the user interface to make it easier to use and faster to search.
OpenAM Administration Guide - 0 views
-
An authentication service confirms the identity of a user or a client application.
-
OpenAM is most frequently used to protect web-accessible resources. Users browse to a protected web application page. An agent installed on the server with the web application redirects the user to OpenAM for access management. OpenAM determines who the user is, and whether the user has the right to access the protected page. OpenAM then redirects the user back to the protected page, with authorization credentials that can be verified by the agent. The agent allows OpenAM authorized users access the page.
OpenID Connect in a nutshell - 1 views
-
How OpenId Connect works?
etishor/Metrics.NET - 1 views
-
"The Metrics.NET library provides a way of instrumenting applications with custom metrics (timers, histograms, counters etc) that can be reported in various ways and can provide insights on what is happening inside a running application."
Murano/Screencasts - OpenStack - 0 views
-
Mas cosa de Murano. Murano & Kubernetes, HA and autoscaling, Docker Integration. Etc.
Murano - OpenStack - 0 views
-
"The Murano Project introduces an application catalog to OpenStack, enabling application developers and cloud administrators to publish various cloud-ready applications in a browsable categorized catalog. Cloud users -- including inexperienced ones -- can then use the catalog to compose reliable application environments with the push of a button."
Co-Engineered Together: OpenStack Platform and Red Hat Enterprise Linux | Red Hat Stack - 2 views
An Introduction to PaaS on OpenStack | ActiveState - 0 views
-
otro exposición "opinionada" de como conseguir lo que hay que conseguir. la mas simple de stackato que vi.
munyeco