servicecatalog
More descriptions in the documentation, i.e. for SAML 2 and IdP handling
-----Original Message----- From: Shiino, Toshihiro/椎野 稔弘 Sent: Freitag, 16. Dezember 2016 09:16 [...] Digging into more details of new feature, there are several issues I have encountered and not able to find any description in the given documents, such as:
- The SAML Single Logout feature newly provided in v16.1, I found no information of logout/signature certification in metadata.
- Though NameIDFormat is stated as urn:oasis:names:tc:SAML:2.0:nameid-format:transient within metadata, the telegraphic message of logout is sent with NameIdFormat fixed as http://schemas.xmlsoap.org/claims/UPN.
- The binding to let IDP be back to SP at logout did not work unless it is used with GET (and I assume this can be solved when the logout information is correctly output in metadata and automatically set forward). [...]
I propose we should start a public FAQ here. It would be an efficient media for sharing experience and exchanging answers to questions like the above. There is already information in OSCM manuals and a wiki with architectural overview including SAML2 based SSO in OSCM. However, in practice it has turned out, that setting up OSCM with SAML2 mode is not a task for beginners. It requires certain domain knowledge of used technologies and concrete precognition of configuring IDPs. In order to provide user's some way of self-support we should gather from OSCM issues, forum and mailing list and create a Q&A list. This should be linked at appropriate place in the wiki pages.
