...
Note | ||||
---|---|---|---|---|
| ||||
Suppose that in the portal at https://portal.example.edu/ there is a portlet web application OrderStatusPortlet.war such that, to the extent that this portlet application is also a servlet application, it answers at https://portal.example.edu/OrderStatusPortlet/ . The Service URL of this portlet is therefore https://portal.example.edu/OrderStatusPortlet/ . The portal will use its Proxy Granting Ticket to obtain a Proxy Ticket for the purpose of authenticating to https://portal.example.edu/OrderStatusPortlet/ , which it will then present to the portlet as the special JSR-168 user attribute "casProxyTicket". The Portlet will then validate this ticket with CAS, specifying at validation that it would itself like to obtain a Proxy Granting Ticket and providing to CAS a callback URL at which it would like to receive that Proxy Granting Ticket. CAS calls back to a URL like https://portal.example.edu/OrderStatusPortlet/proxyTicketReceptor providing a Proxy Granting Ticket which authenticates the chain of user-portal-portlet. The portlet then uses this Proxy Granting Ticket to obtain Proxy Tickets for the purpose of authenticating to specific backing services. |
...
The SAML Assertion could be modeled as a Base64 encoded String so that a more complex object need not be passed across the classloader boundary (with all those attendant classloader issues) between portal and portlet. If done carefully this should preserve the validity of any signatures and allow the portlet to reconstruct the assertion.
Portlet Client Library
There's now a child page for exploring this library.
- Need an HTTP client API allowing access to WSPs while handling authentication internally
- Client stack needs support for TLS client and server authentication, cookies, and whatever features WSPs would impose
- Internals must support detection of ECP requests, Liberty-defined interactions with IdP, and handling ECP responses