search

heroku / identity

[DEPRECATED] Login and OAuth management service for Heroku
https://id.heroku.com/
MIT License
3 stars 0 forks source link

Federated identity support #161

Closed rwz closed 9 years ago

rwz commented 9 years ago

This adds two endpoints to support federated identity workflow.

/federated/:org_name/saml/init is an entry point to initiate the SAML dance. /federated/:org_name/saml/finalize is the callback URL that accepts the SAMLResponse and exchanges it to authentication data using separate Federated Identity service (https://github.com/heroku/fido).

Ready for review @heroku/api @heroku/enterprise-experience-team

brandur commented 9 years ago

@rwz @dmcinnes Rocking! Hey, is it possible to get some elaboration on how the whole process works somewhere? I don't see much here or in Fido's README.

This is looking good, but I haven't dived in to any depth yet. This does seem to pull a lot of context about SAML into Identity though, which is something that I'd really like to avoid if at all possible. I'll try to suggest an alternate model (if one is even possible) after I have a better standing of the Identity <-> Fido <-> API interaction.

dmcinnes commented 9 years ago

@brandur thanks! I've thrown together a process diagram that should help detail what's going on: https://github.com/heroku/fido/blob/master/docs/fido-process.md

dmcinnes commented 9 years ago

Mostly the Identity piece is necessary because all of the other services like Dashboard depend on Identity's access token cookie.

dmcinnes commented 9 years ago

Closing this in favor of #163