Mar 15, 2007

From OpenLiberty.org Wiki

Back to Meeting Minutes←

Present: Curtis Jones, Asa Hardcastle, Derrick Harcey, Scott Cantor

Session

Asa: If not a session, then what.

Scott: Session from the context of a webserver. still developing new APIs for a service provider to use. Still at speculation phase. C++ running inside the webserver does not have the same. Caching security tokens is one of Scott's main foci. Java needs to do the same SSO stuff, but will need to focus on the same issues. GOAL: get a service provider out for SAML2. So far ahead of the curve that anticipating the proper method is difficult. Need to make sure that all security tokens in the course of an app session needs to be stored inside a session. writable sessions - add to them after they've been created. Need to store info that you get from the IdP upfront for bootstrap of the ID-WSF. Storage service based API. In memory or written to ODBC database.

Asa: Session contains EPR info, chain of EPRs

Asa: provide serializable objects -

Scott: no luxury of operating in a specific use case, call "Client Handle" or "Context" versus "Session"

Scott: Unit is something like a context handle associated with an attempt to invoke a certain service. Security tokens, multiple EPRs, nested context handles like

Scott: transport burried way down and handled seperately . SOAP- intended to be transport independent. Want a particular caller invoking a logical peer at a particular end point - reused.

Asa: in practice use https for transport

Scott: in practice HTTP (usually over SSL)

SAML2

Scott: Libraries are done, they are working on value added stuff. Messaging stuff is completed. Coding the actual single sign on now.

Scott: bootstrap based on SAML2 SSO

Scott: all products are going to be totally different. No well defined bridge from doing websso and doing something else.