Gluu as SP converting SAML to Headers

By: Vipin Jain named 29 Mar 2017 at 11:06 a.m. CDT

8 Responses
Vipin Jain gravatar
Hello Team, Can Gluu product act as a Service Provider and then convert the incoming SAML request attributes to request headers similar like Shibboleth SP? Thanks
Rhel72
closed

Answers

By Aliaksandr Samuseu staff 29 Mar 2017 at 11:11 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Vipin. Not sure I completely understand what you are referring to. Can you provide links to some technical papers/articles/doc pages which describe your intended flow? So far it seems to me you may be interested in functionality Asimba (a Gluu's component) provides, you can learn about it [here](https://gluu.org/docs/ce/admin-guide/saml/#inbound-saml-asimba)

By Vipin Jain named 29 Mar 2017 at 11:15 a.m. CDT

Copy
Vipin Jain gravatar
Thanks for prompt reply. Basically, looking something like Shibboleth Service Provider concept https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess

By Aliaksandr Samuseu staff 29 Mar 2017 at 11:24 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Understood. It's a bit unusual request, though. Gluu isn't designed to serve as a SP. When using Asimba proxy setup I referenced above, it assumes role of SP when proxying requests from external SP to IdP(s) behind it, but it's only makes any sense in the context of this setup. It's not designed to share these attributes with anything else then Asimba and Shibboleth. In terms of SAML Gluu is limited to what Shibboleth **IdP** can do, as it uses it internally for SAML flows. So you may try to find a way to achieve what you need by reconfiguring the IdP. Such non-streamlined subjects are out of scope of Community Support, you can try Shibboleth forums instead.

By Vipin Jain named 29 Mar 2017 at 11:27 a.m. CDT

Copy
Vipin Jain gravatar
Got it. So Gluu cannot act just as Service Provider right? if required something which CA SSO or OAM support

By Aliaksandr Samuseu staff 29 Mar 2017 at 12:24 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
We may have different views of SP's roles, I suppose. Let's put it like this: Gluu by itself does not manage/enforce access to some resource, it answers to remote requests from SPs to send some user data. Even in UMA flows, Gluu only provides authorization decisions, it's actually Resource Server who finally enforces the decision, allowing/denying access. You could explain your intended setup in more details if you would like a suggestion on how to achieve it.

By Vipin Jain named 29 Mar 2017 at 12:51 p.m. CDT

Copy
Vipin Jain gravatar
Basically, I am thinking to use Gluu IAM system as replacement of Shibboleth Service Provider? Is that possible?

By Aliaksandr Samuseu staff 29 Mar 2017 at 1:11 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
No, it doesn't contain Shibboleth SP, or similar software. I can't deny something like this is technically possible by deep reconfiguration of the framework, but this would be way too off from Gluu's intended role, is not recommended and is not covered by free support, unfortunately. If you don't mind to spend some money for extra help, you could arrange a call with William or/and Michael and discuss your needs. May be they will recommend some of our partners who'll be able to help (for a price)

By Michael Schwartz Account Admin 29 Mar 2017 at 1:19 p.m. CDT

Copy
Michael Schwartz gravatar
Vipin, We have a component called "Asimba" which is a SAML proxy (SP on one side, IDP on the other). Asimba also provides "Discovery" i.e. Where are you From (WAYF). This SAML proxy is used by SaaS providers who are serving many IDP's, and want to present only one SP metadata, and to provide just-in-time provisioning to dynamically register users who originate from a trusted IDP. If that's the kind of thing you're looking for, the Gluu Server could be a good fit. If you just need SAML SP for one website, the Shibboleth SP is really stable software, that's used by thousands of websites. And besides that, there are many other great SP solutions like SimpleSAMLPhp, and OneLogin's many SAML libraries.

Post an answer