SAML Assertion consumer Service (ACS) - Suggestions on implementation
https://stackoverflow.com/questions/956588
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We are looking at providing SSO for a partner company so that they can access our website without separately loggin in. The partner company already has an SSO implementation within their intranet as well as other partners. We only need to be able to recieve the SAML tokens and confirm that they are valid (either Browser/Post pr Browser/Artifact profiles can be used). We do not need to implement SSO for our domain users.
Question: Is it worthwhile/possible to implement a service (usng WCF?) that can recieve and process these tokens issued by the third party or do we need to implement a vendor application (like SiteMinder, PingFederate etc) on our side even to be able to act as a Relying party in this federation.
Solution
One open source solution you should take a look at is OpenSSO. You can download and deploy OpenSSO as a full-service web access management system, including federated single sign-on via SAML 2.0 and other protocols, or just deploy the Fedlet, which provides a simple service provider/relying party implementation (including the ACS) for both Java and (pre-release now, but supported soon) .Net.
OTHER TIPS
We used the OpenAM Fedlet with great success. OpenAM preconfigures a WAR file for an IDP that you then deploy on the SP. You have to then integrate with the Session management on your application to tell it the user is authenticated. It does SAML 2 only, that is how it is so light-weight and can co-exist with your application.
OpenAM is the new name for OpenSSO since Sun-Oracle has planned to drop it. It is hosted at forgerock.com.
Also I have heard great things about Shibboleth SP. It runs as a CGI under Apache or what ever web server. It uses the REMOTE_USER variable to communicate the user ID to your application. Shibboleth is an Internet2 middleware project based on OpenSAML libraries.
A list of several open-source SAML implementations can be found here.
OpenSSO, OpenSAML and Shibboleth seem like the major options.
