index > Claims based access platform (CBA), code-named Geneva > Protocol transition from SAML 2.0 passive to WS-Federation passive

Protocol transition from SAML 2.0 passive to WS-Federation passive

Right, so I have a very specific question/feature request.

Imagine a scenarion already running composed of a Geneva Server in an SP role. Trusting this SP we have a number of .NET web applications running WS-federation passive trustring the SP to provide SAML tokens.

Now, later on, the customer decides to add support for federated login to the SP. This is fine, except the IdP we want to federate with is running SAML 2.0 passive!

The dream scenario for me as a developer in this scenario is this:

- The web applications continue to understand only WS-Federation passive

- The IdP and SP establish trust

- The web applications are NOT changed

Of course this isn't possible since you currently cannot federate "passively" when it involves transitioning from one passive protocol to another. So, my question is consists of:

1. Will Geneva Server support SAML 2.0 passive in the SP role (SP Lite)? I think currently it only supports it in the IdP role. This is the first thing that must be fulfilled.

2. Will Geneva Server allow protocol transition and thus support IdPs that speak SAML 2.0 passive protocol? This involves that there is some kind of logic or at least extensibility point that would allow you to determine how to do claims transformation from the SAML 2.0 token arriving from the IdP to the SAML 1.1 token being issued by the SP.

This isn't something just coming off the top of my head.. we have customers asking for this functionality already.

Jesper Hvid

Hi Jesper,
The short answer is yes, we are working to support that scenario by Geneva Server RTM.

We are working on supporting SAML2.0 protocol as Service Provider (see Des' blog)
Once the protocol is implemented, the SAML2.0 token will be processed by the same pipeline as tokens arriving via WS-Federation (or via WS-Trust and Cardspace for that matter), and the protocol transition ofSAML-P IdP to Geneva Server to WS-Federation webapp will be possible.

Hopefully we'll have some of this for you to try out at Beta 2.

edit: added link to Des' blog

Marked As Answer byBo Chen at MicrosoftMSFT, ModeratorMonday, February 23, 2009 10:25 PM

Bo Chen at Microsoft

Jesper,

We have very similar situations regarding the need to support the SAML 2.0 passive federation protocol. But alas, both our questions remain unanswered... I am beginning to get the feeling Microsoft really doesn't care whether we choose their federation software or not. Please prove me wrong, MS.... answer these questions.

My question is here.

Best regards,

Daniel Stolt

Marked As Answer byBo Chen at MicrosoftMSFT, ModeratorMonday, February 23, 2009 10:25 PM

Bo Chen at Microsoft

Check out this one: NetXtremeSaml for SAML v1.1 and NetXtremeSaml2 for SAML v2.0.

John Borders

You can use google to search for other answers

Custom Search

More Threads

• STS and Forms Authentication

• moving Managed Information Card issuance web site ?

• MSIS7001: The passive protocol context was not found or not valid.

• Bug in processing RelayState

• Cardspace in combination with smartcard keyset not found error

• ASP Default Authorization is not work in Geneve Beta2?

• asp.net identity dependencies tip

• How to obtain the secure token / claimset from the client

• MS SQL Reporting Services

• Identities are transposed in relying party