[OpenAM] SAML Connection source
Marc Priebee
Marc.Priebee at telecom.co.nz
Thu Sep 29 22:59:02 EDT 2011
Excellent - thanks for that.
Cheers
Marc
-----Original Message-----
From: openam-bounces at forgerock.org [mailto:openam-bounces at forgerock.org] On Behalf Of Mark de Reeper
Sent: Friday, 30 September 2011 9:16 a.m.
To: Users
Subject: Re: [OpenAM] SAML Connection source
Marc.
If just using the POST profile then everything happens via the browser so you should be OK without firewall changes but the IDP and SP do need to be exposed directly to the browser because as Bernhard pointed out, the DistUI doesn't support proxying the federation bits.
In terms of which bits of the IDP/SP you need to expose to the browser, you should be able to get away with just making the SP/saml2 IDP/saml2 URI's available if they are being protected by a rev-proxy/firewall.
Remember that when generating the IDP/SP metadata that you should be using the Site address as part of the published URL's if OpenSSO/OpenAM are part of a Site.
Thanks
Mark
On 30/09/2011, at 7:10 AM, Marc Priebee wrote:
> Thanks Kiran, Bernhard,
>
> I think it's the documentation that is confusing me ;-(
>
> My pre-reading on SAML V2 led me to believe that, (unless I was using the
> browser artifact profile) only the browser needs to be able to connect to
> the SP. All the SAML stuff is done via redirects back through the browser.
>
> But the diagram in the OpenSSO manual, "Deployment Example: SAML V2
> Using Sun OpenSSO enterprise 8.0" implies the SAML assertion is POSTed
>> From the IdP to the SP directly. If that is the case, then I need to
> get firewall rules updated before I can test.
>
> Cheers
> Marc
>
>
> -----Original Message-----
> From: openam-bounces at forgerock.org [mailto:openam-bounces at forgerock.org] On Behalf Of Bernhard Thalmayr
> Sent: Thursday, 29 September 2011 9:15 p.m.
> To: openam at forgerock.org
> Subject: Re: [OpenAM] SAML Connection source
>
> DistUI does not support federation protocols ... it's an OpenSSO/OpenAM
> 'authentication-level reverse-proxy'.
>
> As always ... have you already had a look at the OpenSSO documentation?
>
> -Bernhard
>
> On 09/28/2011 10:46 PM, Marc Priebee wrote:
>> Hi there,
>>
>> I need to set up a new SAML connection to an external SP. My existing
>> OpenSSO environment will be the IdP, and as I've never done this before,
>> I'm not sure exactly where the connections to the SP will be from. (I
>> want to get any required firewall changes done sooner rather than later)
>>
>> Will the OpenSSO server itself also need to connect to the SP? (what if
>> I'm using a separate DAUI?)
>>
>> As it's just an HTTPS (?) connection, it should work fine via a NAT
>> firewall?
>>
>> Thanks
>>
>> Marc
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> OpenAM mailing list
>> OpenAM at forgerock.org
>> https://lists.forgerock.org/mailman/listinfo/openam
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> bernhard.thalmayr at painstakingminds.com - Solution Architect
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
OpenAM mailing list
OpenAM at forgerock.org
https://lists.forgerock.org/mailman/listinfo/openam
More information about the OpenAM
mailing list