Comments on: SAML Single Sign-on with Desktop Apps – Enabled by OAuth http://blog.superpat.com/2009/11/12/saml-single-sign-on-with-desktop-apps-enabled-by-oauth/ Pat Patterson on Identity Management, Federation and Single Malt Scotch Tue, 23 Feb 2010 05:03:39 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Pat Patterson http://blog.superpat.com/2009/11/12/saml-single-sign-on-with-desktop-apps-enabled-by-oauth/comment-page-1/#comment-1482 Pat Patterson Thu, 21 Jan 2010 17:58:07 +0000 http://blog.superpat.com/?p=945#comment-1482 Hi Jonathan - I think the key thing here is that you can use Outlook to access your mail at Google, whether or not Google has a password for you. It's much more flexible. Yes, you can use SPNEGO to do SSO across Microsoft web infrastructure, but I don't think it scales to thousands of IdP's accessing an SP. To use SPNEGO, you would have to 'kerberize' the SP for all the IdP AD domain controllers, adding identities in each IdP's AD and copying keytab files. Ugh! Hi Jonathan – I think the key thing here is that you can use Outlook to access your mail at Google, whether or not Google has a password for you. It’s much more flexible.

Yes, you can use SPNEGO to do SSO across Microsoft web infrastructure, but I don’t think it scales to thousands of IdP’s accessing an SP. To use SPNEGO, you would have to ‘kerberize’ the SP for all the IdP AD domain controllers, adding identities in each IdP’s AD and copying keytab files. Ugh!

]]> By: Jonathan Gershater http://blog.superpat.com/2009/11/12/saml-single-sign-on-with-desktop-apps-enabled-by-oauth/comment-page-1/#comment-1478 Jonathan Gershater Thu, 21 Jan 2010 00:33:13 +0000 http://blog.superpat.com/?p=945#comment-1478 hi Pat Doesn't Microsoft do this with SPNEGO ? It will take credentials that I used to authenticate to AD (and thus from any "thick client" like Outlook) and make those credentials available in IE for browser based Auth? Jonathan hi Pat
Doesn’t Microsoft do this with SPNEGO ? It will take credentials that I used to authenticate to AD (and thus from any “thick client” like Outlook) and make those credentials available in IE for browser based Auth?

Jonathan

]]> By: Pat Patterson http://blog.superpat.com/2009/11/12/saml-single-sign-on-with-desktop-apps-enabled-by-oauth/comment-page-1/#comment-981 Pat Patterson Wed, 16 Dec 2009 03:24:41 +0000 http://blog.superpat.com/?p=945#comment-981 Hi Adam - All the information I have is in this blog entry. The linked articles at Google have some more detail; if you need more, you'll have to get in touch with Google - Eric's email address is on the page I linked to - http://eric.sachs.googlepages.com/ Hi Adam – All the information I have is in this blog entry. The linked articles at Google have some more detail; if you need more, you’ll have to get in touch with Google – Eric’s email address is on the page I linked to – http://eric.sachs.googlepages.com/

]]> By: Adam http://blog.superpat.com/2009/11/12/saml-single-sign-on-with-desktop-apps-enabled-by-oauth/comment-page-1/#comment-980 Adam Wed, 16 Dec 2009 01:36:10 +0000 http://blog.superpat.com/?p=945#comment-980 I'd be very interested in more information, I've been looking for this for ages! Adam I’d be very interested in more information, I’ve been looking for this for ages!

Adam

]]> By: Pat Patterson http://blog.superpat.com/2009/11/12/saml-single-sign-on-with-desktop-apps-enabled-by-oauth/comment-page-1/#comment-804 Pat Patterson Thu, 19 Nov 2009 19:16:25 +0000 http://blog.superpat.com/?p=945#comment-804 Word from Eric: <blockquote> There is actually no code in the OAuth enabled desktop that has any awareness of how federation or user-authentication happens at Google. In the generic case, the desktop app just tells Google it wants an OAuth token for "someones" mail/calendar API. In the more advanced case, it tells Google it wants an OAuth token for "someone in the domain acme.com." That seperation/indirection is very powerful in our opinion because the user can be authentication using any means, and the federation (if it happens) can use any protocol/mechanism. So we don't need to update the desktop app in the future if we add more federation mechanisms, or authentication mechanisms. </blockquote> I've amended my flow accordingly. Word from Eric:

There is actually no code in the OAuth enabled desktop that has any awareness of how federation or user-authentication happens at Google. In the generic case, the desktop app just tells Google it wants an OAuth token for “someones” mail/calendar API. In the more advanced case, it tells Google it wants an OAuth token for “someone in the domain acme.com.” That seperation/indirection is very powerful in our opinion because the user can be authentication using any means, and the federation (if it happens) can use any protocol/mechanism. So we don’t need to update the desktop app in the future if we add more federation mechanisms, or authentication mechanisms.

I’ve amended my flow accordingly.

]]> By: Pat Patterson http://blog.superpat.com/2009/11/12/saml-single-sign-on-with-desktop-apps-enabled-by-oauth/comment-page-1/#comment-803 Pat Patterson Thu, 19 Nov 2009 18:19:13 +0000 http://blog.superpat.com/?p=945#comment-803 Hi Paul - I'm not certain of the exact detail - there may be more coupling later in the flow. I'll ask the Google guys if they'd like to clarify here... Hi Paul – I’m not certain of the exact detail – there may be more coupling later in the flow. I’ll ask the Google guys if they’d like to clarify here…

]]> By: Paul http://blog.superpat.com/2009/11/12/saml-single-sign-on-with-desktop-apps-enabled-by-oauth/comment-page-1/#comment-801 Paul Thu, 19 Nov 2009 14:28:45 +0000 http://blog.superpat.com/?p=945#comment-801 Pat, it seems the only connection between SAML & OAuth is in your Step 1, ie in which Outlook 'invokes the browser with a SAML SP URL, including the request token as a query parameter. ' What param is Google using for this? After this, SAML seems completely separable from the OAuth piece, ie its just how Google authenticates the user before authz. I'm also exploring mechanisms by which SAML protocol messages can carry Oauth params/tokens Paul Pat, it seems the only connection between SAML & OAuth is in your Step 1, ie in which Outlook ‘invokes the browser with a SAML SP URL, including the request token as a query parameter. ‘

What param is Google using for this?

After this, SAML seems completely separable from the OAuth piece, ie its just how Google authenticates the user before authz.

I’m also exploring mechanisms by which SAML protocol messages can carry Oauth params/tokens

Paul

]]> By: Edward Wang http://blog.superpat.com/2009/11/12/saml-single-sign-on-with-desktop-apps-enabled-by-oauth/comment-page-1/#comment-766 Edward Wang Fri, 13 Nov 2009 10:27:50 +0000 http://blog.superpat.com/?p=945#comment-766 Nice reading. Thanks for posting, Mr. Patterson. Nice reading. Thanks for posting, Mr. Patterson.

]]>