entrouvert
/
lasso
16
0
Fork 0
Code Issues Pull Requests Releases Activity
lasso/branches/branch-0-6-0/docs/reference/tmpl/login.sgml

359 lines
7.3 KiB
Plaintext
Raw Blame History

<!-- ##### SECTION Title ##### -->
LassoLogin
<!-- ##### SECTION Short_Description ##### -->
Single Sign-On and Federation Profile
<!-- ##### SECTION Long_Description ##### -->
<para>
The Single Sign On process allows a user to log in once to an identity provider
(IdP), and to be then transparently loged in to the required service providers
(SP) belonging to the IP "circle of trust". Subordinating different identities
of the same user within a circle of trust to a unique IP is called "Identity
Federation". The liberty Alliance specifications allows, thanks to this
federation, strong and unique authentication coupled with control by the user
of his personnal informations. The explicit user agreement is necessary before
proceeding to Identity Federation.
</para>
<para>
The service provider must implement the following process:
<itemizedlist>
<listitem><para>creating an authentication request (#LassoLibAuthnRequest) with
lasso_login_init_authn_request();</para></listitem>
<listitem><para>sending it to the identity provider with
lasso_login_build_authn_request_msg();</para></listitem>
<listitem><para>receiving and processing the answer:
<itemizedlist>
<listitem>either an authentication response with
lasso_login_process_authn_response_msg()</listitem>
<listitem>or an artifact with lasso_login_init_request() then sending the
request to the IdP with lasso_login_build_request_msg() and processing the
new answer with lasso_login_process_response_msg().</listitem>
</itemizedlist>
</para></listitem>
</itemizedlist>
</para>
<example>
<title>Service Provider Login URL</title>
<programlisting>
LassoLogin *login;
login = lasso_login_new(server);
lasso_login_init_authn_request(login, "http://identity-provider-id/",
LASSO_HTTP_METHOD_REDIRECT);
/* customize AuthnRequest */
request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(login)->request);
request->NameIDPolicy = strdup(LASSO_LIB_NAMEID_POLICY_TYPE_FEDERATED);
request->ForceAuthn = TRUE;
request->IsPassive = FALSE;
request->ProtocolProfile = strdup(LASSO_LIB_PROTOCOL_PROFILE_BRWS_ART);
lasso_login_build_authn_request_msg(login);
/* redirect user to identity provider */
printf("Location: %s\n\nRedirected to IdP\n", LASSO_PROFILE(login)->msg_url);
</programlisting>
</example>
<example>
<title>Service Provider Assertion Consumer Service URL</title>
<programlisting>
LassoLogin *login;
char *request_method = getenv("REQUEST_METHOD");
char *artifact_msg = NULL, *lares = NULL, *lareq = NULL;
char *name_identifier;
lassoHttpMethod method;
login = lasso_login_new(server);
if (strcmp(request_method, "GET") == 0) {
artifact_msg = getenv("QUERY_STRING");
method = LASSO_HTTP_METHOD_REDIRECT;
} else {
/* read submitted form; if it has a LAREQ field, put it in lareq,
* if it has a LARES field, put it in lares */
if (lareq) {
artifact_msg = lareq;
} else if (lares) {
response_msg = lares;
} else {
/* bail out */
}
method = LASSO_HTTP_METHOD_POST;
}
if (artifact_msg) {
lasso_login_init_request(login, artifact_msg, method);
lasso_login_build_request_msg(login);
/* makes a SOAP call, soap_call is NOT a Lasso function */
soap_answer_msg = soap_call(LASSO_PROFILE(login)->msg_url,
LASSO_PROFILE(login)->msg_body);
lasso_login_process_response_msg(login, soap_answer_msg);
} else if (response_msg) {
lasso_login_process_authn_response_msg(login, response_msg);
}
/* looks up name_identifier in local file, database, whatever and gets back
* two things: identity_dump and session_dump */
name_identifier = LASSO_PROFILE(login)->nameIdentifier
lasso_profile_set_identity_from_dump(LASSO_PROFILE(login), identity_dump);
lasso_profile_set_session_from_dump(LASSO_PROFILE(login), session_dump);
lasso_login_accept_sso(login);
if (lasso_profile_is_identity_dirty(LASSO_PROFILE(login))) {
LassoIdentity *identity;
char *identity_dump;
identity = lasso_profile_get_identity(LASSO_PROFILE(login));
identity_dump = lasso_identity_dump(identity);
/* record identity_dump in file, database... */
}
if (lasso_profile_is_session_dirty(LASSO_PROFILE(login))) {
LassoSession *session;
char *session_dump;
session = lasso_profile_get_session(LASSO_PROFILE(login));
session_dump = lasso_session_dump(session);
/* record session_dump in file, database... */
}
/* redirect user anywhere */
printf("Location: /\n\nRedirected to site root\n");
</programlisting>
</example>
<!-- ##### SECTION See_Also ##### -->
<para>
</para>
<!-- ##### STRUCT LassoLogin ##### -->
<para>
Single sign-on profile for the current transaction; possibly an
assertionArtifact to be used by the service provider in its
"assertionConsumerServiceURL" and the assertion created or received for the
principal.
</para>
@protocolProfile:
@assertionArtifact:
@assertion:
<!-- ##### ENUM LassoLoginProtocolProfile ##### -->
<para>
Identifies the two possible profiles for Single Sign-On and Federation.
</para>
@LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART:
@LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST:
<!-- ##### FUNCTION lasso_login_new ##### -->
<para>
</para>
@server:
@Returns:
<!-- ##### FUNCTION lasso_login_destroy ##### -->
<para>
</para>
@login:
<!-- ##### FUNCTION lasso_login_dump ##### -->
<para>
</para>
@login:
@Returns:
<!-- ##### FUNCTION lasso_login_new_from_dump ##### -->
<para>
</para>
@server:
@dump:
@Returns:
<!-- ##### FUNCTION lasso_login_accept_sso ##### -->
<para>
</para>
@login:
@Returns:
<!-- ##### FUNCTION lasso_login_build_artifact_msg ##### -->
<para>
</para>
@login:
@http_method:
@Returns:
<!-- ##### FUNCTION lasso_login_build_assertion ##### -->
<para>
</para>
@login:
@authenticationMethod:
@authenticationInstant:
@reauthenticateOnOrAfter:
@notBefore:
@notOnOrAfter:
@Returns:
<!-- ##### FUNCTION lasso_login_build_authn_request_msg ##### -->
<para>
</para>
@login:
@Returns:
<!-- ##### FUNCTION lasso_login_build_authn_response_msg ##### -->
<para>
</para>
@login:
@Returns:
<!-- ##### FUNCTION lasso_login_build_request_msg ##### -->
<para>
</para>
@login:
@Returns:
<!-- ##### FUNCTION lasso_login_build_response_msg ##### -->
<para>
</para>
@login:
@remote_providerID:
@Returns:
<!-- ##### FUNCTION lasso_login_init_authn_request ##### -->
<para>
</para>
@login:
@remote_providerID:
@http_method:
@Returns:
<!-- ##### FUNCTION lasso_login_init_idp_initiated_authn_request ##### -->
<para>
</para>
@login:
@remote_providerID:
@Returns:
<!-- ##### FUNCTION lasso_login_init_request ##### -->
<para>
</para>
@login:
@response_msg:
@response_http_method:
@Returns:
<!-- ##### FUNCTION lasso_login_must_ask_for_consent ##### -->
<para>
</para>
@login:
@Returns:
<!-- ##### FUNCTION lasso_login_must_authenticate ##### -->
<para>
</para>
@login:
@Returns:
<!-- ##### FUNCTION lasso_login_process_authn_request_msg ##### -->
<para>
</para>
@login:
@authn_request_msg:
@Returns:
<!-- ##### FUNCTION lasso_login_process_authn_response_msg ##### -->
<para>
</para>
@login:
@authn_response_msg:
@Returns:
<!-- ##### FUNCTION lasso_login_process_request_msg ##### -->
<para>
</para>
@login:
@request_msg:
@Returns:
<!-- ##### FUNCTION lasso_login_process_response_msg ##### -->
<para>
</para>
@login:
@response_msg:
@Returns:
<!-- ##### FUNCTION lasso_login_validate_request_msg ##### -->
<para>
</para>
@login:
@authentication_result:
@is_consent_obtained:
@Returns:
View Git Blame Copy Permalink