On 29.01.2014 17:06, Adam Young wrote:
We had a team member looking into SAML, but I don't don't know if he made that distinction.
Do you think he would be willing to give a helping hand and share his expertise? Any possibility to contact your colleague? Without ECP/http clients extensions i think the federation is only 50% useful (because eventually somehow you need to login and obtain the saml assertion manually, with your browser).
Is there anything that would prevent us from having a solution that supported both, based on the requirements of the implementer?
mod_shib passes saml assertion parameters into discrete environment variables. I am now looking at the mod_mellon README file and it looks like mellon's behaviour is pretty much the same. So, if there any implementation details, they are minor ones and we basically start at the same page.
From https://modmellon.googlecode.com/svn/trunk/mod_mellon2/README : =========================================================================== Using mod_auth_mellon =========================================================================== After you have set up mod_auth_mellon, you should be able to visit (in our example) https://example.com/secret/, and be redirected to the IdP's login page. After logging in you should be returned to https://example.com/secret/, and get the contents of that page. When authenticating a user, mod_auth_mellon will set some environment variables to the attributes it received from the IdP. The name of the variables will be MELLON_<attribute name>. If you have specified a different name with the MellonSetEnv or MellonSetEnvNoPrefix configuration directive, then that name will be used instead. In the case of MellonSetEnv, the name will still be prefixed by 'MELLON_'. The value of the attribute will be base64 decoded. mod_auth_mellon supports multivalued attributes with the following format: <base64 encoded value>_<base64 encoded value>_<base 64 encoded value>... If an attribute has multiple values, then they will be stored as MELLON_<name>_0, MELLON_<name>_1, MELLON_<name>_2, ... Since mod_auth_mellon doesn't know which attributes may have multiple values, it will store every attribute at least twice. Once named MELLON_<name>, and once named <MELLON_<name>_0. In the case of multivalued attributes MELLON_<name> will contain the first value. The following code is a simple php-script which prints out all the variables: <?php header('Content-Type: text/plain'); foreach($_SERVER as $key=>$value) { if(substr($key, 0, 7) == 'MELLON_') { echo($key . '=' . $value . "\r\n"); } } ?> -- Marek Denis [[email protected]] _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
