...
A high-level sequence diagram gives the general approach to doing the 4-tiers to proxy through the portal, a portlet, to external service. Essential underpinnings of this approach are
- Use of the SAML 2 ECP profile ("Enhanced Client or Proxy") that specifies how service to do service SAML flows.
- Use of standard SAML assertion attributes to constrain the use of a proxy token.
...
~cantor.2@osu.edu will draft initial specs for IdP enhancements needed to (1) support ECP and (2) add support for expressing policy that constrains delegation of proxy tokens.
~cantor.2@osu.edu will draft initial specs for the overall flow (of which the above is an inaccurate but indicative form).
~battags will review the above draft spec to ascertain degree of harmony with the existing CAS proxy flows.
~cantor.2@osu.edu will enhance the shibboleth SP to provide suitable logging of and policy control over acceptance of proxy tokens.
...
unknown will develop specs for a library (or whatever) to enable portlets to implement the ECP profile.
~tbarton will identify or provide a space in which to continue collaborative work on this topic, and will coordinate with appropriate Internet2, Unicon, U Chicago, and other people to keep this effort on track.
~tbarton will ensure that a portion of Unicon's engagement with U Chicago's uPortal deployment is assigned to this development activity.
~tbarton will ensure that JISC is brought in to learn of any interest they may have in this effort.