interfedoperation interoperating ws-federation jens jensen, ral ogf31/taipei
TRANSCRIPT
![Page 1: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/1.jpg)
interfedoperation
Interoperating WS-FederationJens Jensen, RAL
OGF31/Taipei
![Page 2: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/2.jpg)
What it is
• WS-Federation: OASIS standard• Version 1.2 (May 2009)• Two modes
– “normal” mode – SOAP– Passive mode – web
• So federating access rather than federation
![Page 3: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/3.jpg)
![Page 4: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/4.jpg)
Protocol Summary
• Bring together IdPs and SPs• Similar to Shib, but looser
federation• More flexible in some ways
– E.g. redirects to other IdPs– Metadata discovery– Establishing trust between trust
domains
![Page 5: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/5.jpg)
Basic Operation
![Page 6: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/6.jpg)
![Page 7: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/7.jpg)
“Federation” – metadata discovery
![Page 8: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/8.jpg)
Objective – Plan A
• STS in Azure• IdP running inside Azure
– (could have been Pistoia customer)• SP running at RAL
– Needed OS SP for Apache– Using pingidentity for Apache
![Page 9: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/9.jpg)
Result
• It didn’t work, went on to Plan B• We made it better, but not working
– Ran out of time/funding– Could pick up again later– Made squillions of lab notes (mostly
paper)
![Page 10: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/10.jpg)
Specifics• Open Source client not maintained
– Using old namespaces– Written for Apache 2.0 (should work for
2.2)– Needed some work to build (done
partly outside the Apache build framework)
– Not RFC2616 compliant (HTTP/1.1)• Redirects failed
– Expected different SAML content
![Page 11: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/11.jpg)
Specifics
• The STS SAML not 100% matching WSFED1.2 SAML– But this was relatively easy to fix– SAML fairly stretchy
• Debugging redirects took time– Server said “error occurred” but not what –
probably a security feature
![Page 12: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/12.jpg)
Lessons Learned – no surprise
• Need both Java and C (or C++) implementations
• Interoperating, mature, maintained• Test suite needs publishing
– As part of OS code
![Page 13: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/13.jpg)
Debugging
• Only possible with source code– Documented (and non-obfuscated)– Compilable
• Work orthogonal to hosting environment
![Page 14: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/14.jpg)
Debugging
• Inspecting over SSL sockets nearly impossible– Which is a feature
• Debug at client or server– Browser plugins – eg TamperData for
Moz
![Page 15: Interfedoperation Interoperating WS-Federation Jens Jensen, RAL OGF31/Taipei](https://reader030.vdocument.in/reader030/viewer/2022032612/56649f065503460f94c1c09c/html5/thumbnails/15.jpg)
Whither then?
• Made good progress, could pick up again– Contribute back upstream?
• Other OS SPs available (untested)– GENESIS II, but in Java
• Needs interest in community to thrive