0

Forgive me I am a Shibboleth / SAML 2 noob. Hopefully these are straightforward questions.

I recently posted asking whether we could do Shib / SAML 2 integration with Azure ACS. The answers led me to believe that we could not use ACS, but implement something using the lower-level WIF + SAML2 Extensions CTP libs.

On a related matter I called one of our affiliates to ask if they could add our app as a Service Provider using their InCommon Federation membership. They asked me if we were going to install the Shibboleth Service Provider on the Azure machine(s) hosting our MVC3 web role.

Until they mentioned this, I had no idea there was a Shibboleth Service Provider installer. I was under the impression, according to everything I've read so far about SAML2, that our mvc3 web role is the service provider.

So, what is the Shibboleth Service Provider? What does it do? What value would be added by installing it on our Azure instances? Do I have to have it in order to SSO against Shibboleth? or can we just do pure saml2?

My preference is to not install it, since it would have to be installed on each role instance, making deployment take longer.

Community
  • 1
  • 1
danludwig
  • 46,965
  • 25
  • 159
  • 237
  • I don't know much about Shibboleth either, but their definition seems to match what you are saying with respect to what a SP is: http://shibboleth.internet2.edu/about.html SP = "relying party". – Eugenio Pace Jan 11 '12 at 16:01
  • Yeah I'm used to RP from OpenID / OAuth. Talking to these people, need to use the term SP. – danludwig Jan 11 '12 at 16:22

1 Answers1

2

There is some information on using Shibboleth 2 for SSO in front of your web application in this question: In order to implement SAML do I need Shibboleth SP installed on my host?; the answer is linux/Java-centric.

The Shibboleth SP is a product that you can use in front of your existing web application, or even just in front of a particular SSO-login URL that you can add to your existing web application. If your application already has a notion of users, then you can simply figure out how you will map the Identity Provider's user attributes to your application users. You and your affiliated company need to come up with what you want to do to map identities from the Identity Provider to identities on your application. You might have some shared data, or you might be required to set up that data when the the user first uses SSO.

The value that Shibboleth SP provides is that it is a product that implements all of the SAML 2.0 interactions you are likely to need. It's easy to configure SAML 2.0 Web-SSO with Shibboleth and have the Shibboleth module add variables to the HTTP requests that contain all of the Attributes in the SAML 2 Assertions that the Identity Provider will be sending you.

If You can do all of that with Azure ACS, then there's no need to install Shibboleth. My limited understanding is that Azure ACS may already support SAML 2.0 Web SSO: http://saml.xml.org/news/windows-azure-gains-single-sign-on-support

Community
  • 1
  • 1
jbindel
  • 5,535
  • 2
  • 25
  • 38
  • That's contrary to my understanding from my other post. I was told I will need to use WIF SAML 2.0 Extensions (in CTP), not ACS. Either way, thanks for the info. – danludwig Jan 11 '12 at 18:44
  • I only know what I've seen today, but I guess you're right: http://blogs.msdn.com/b/usisvde/archive/2011/05/19/ctp-for-single-sign-on-extends-windows-identity-foundation-wif-v3-5-for-saml-2-0.aspx – jbindel Jan 11 '12 at 21:18