As I announced some time ago, we’ve been working on a few labs that demonstrate interoperability with 3rd party identity components. More specifically:

  1. CA SiteMinder 12.0
  2. IBM Tivoli Federated Identity Manager 6.2
  3. Sun OpenSSO 8.0

The general architecture of the lab follows what is described in chapter 4 of the Claims Guide and is illustrated below:

image

All configurations are very similar. Each Identity Provider (IdP) supplies slightly different set of claims.

  1. The application (aExpense from the Claims Guide) trusts ADFS (acting as a Federation Provider)
  2. ADFS is configured with multiple issuers and is responsible for:
    1. “Home realm discovery” (in the lab this is simply a drop down box the user has to choose from)
    2. Token transformation (tokens issued by the different IdP’s are converted into another one used by the app)
  3. Each IdP is responsible for authenticating its users and issuing a token

This first post shows how it works for OpenSSO.

I wanted to thank my colleague Claudio Caldato, from Microsoft interoperability labs for allowing us to reuse all his infrastructure, and for helping us configure all components involved.

 

Interop with OpenSSO

How it works

image

(Full size diagram here)

End to end demo

(Video here)