Wednesday, August 31, 2011

Bridging federation protocols with OIF

I just wrapped up a project for a customer with a slightly odd federation use case.

On the one side was an IdP that could generate SAML assertions.
On the other side was an app that could only accept either a username+password or an OpenID.

We bridged the gap with OIF and a bit of config.

In broad strokes heres what you do...

  • Install OIF
  • Setup OIF as OpenID OP
  • Setup OIF as a SAML Service Provider

For SP initiated:
You need to Configure OIF to use the Federation SSO proxy authn engine.

When the user reaches the OpenID enabled app the app will send the user to OIF. OIF will see that it needs to send the user to the SAML IdP and will redirect them there. The user goes to the SAML IdP, logs in and then comes back with SAML assertion. OIF consumes the assertion and generates an OpenID identity and redirects the user back to the OpenID Relying Party.

For IdP initiated:
You need to setup an SP Integration Module (abbreviated to SPIM).

The user stars out at the SAML IdP which generates a SAML assertion and sends to OIF. OIF validates the SAML Assertion and invokes the SPIM. The SPIM kicks the user into the OpenID flow and they get redirected on to the OpenID RP.

It's all actually pretty straightforward once you understand what's going on.


  1. That's pretty cool Chris. Do you have a workflow diagram on this that could be shared?

  2. I do... in my head!

    If you mean a pretty picture that I can show you, alas I do not. But I'll put it on my list and update the post when I get a chance to sketch it out.

  3. Chris,

    I hope that you are doing well. I have a client asking for the same type of setup as you described here. I have everything configured as you described but having some difficulty with the hand off between bridging SAML and OpenID ... did you ever get a chance to put together more documentation on this use case?


  4. Hi Brad. I have set this up before and it worked as I described above - clicky clicky click and done. If you set it up as I described above and are running into trouble the best thing to do is probably to open an SR and have support work through it.


Note: Only a member of this blog may post a comment.