How are attributes mapped between .NET (ADFS / WIF) and Java (Federation)

Assume there are two companies: A.NET which is a .NET shop and B.Java which is a Java shop. Users in each company need to access the other company's web sites so the two companies set up Federation using ADFS and Oracle Identity Federation or OpenSSO Federation.

In the .NET world, the attributes are accessed as claims inside IClaimsPrincipal and IClaimsIdentity.

In the Java world, the attributes are accessed as HTTP headers.

Does the Federatio开发者_开发问答n infrastructure do this mapping automatically i.e.

If a A.NET user accesses a B.Java site do they get their attributes as claims?

If a B.Java user accesses a A.NET site do they get their attributes as headers?

Assuming you can use WS-Federation on both sides, then in both cases the main artifact you would be dealing with is a SAML token.

In general, your federation infrastructure is completely independent of the application stack. ADFS would issue SAML tokens in either case (for the Java app and for the .NET app). OIF would also have to issue SAML tokens for both sets of users.

In the .NET world, WIF will parse/validate, etc. the SAML token into a .NET object model that represents the information in it (the claims, the issuer, etc). That object model is the ClaimsPrincipal (and all related interfaces and types). You would have to look at the WIF equivalent on the java world. But in either case, the input is a SAML token.

In your scenario it is likely that there will be a token transformation in both STSs:

For the .NET app:

1- user from the B company authenticates on OIF and gets a SAML token for company A 2- user sends token to ADFS 3- ADFS reads the token from B, validates and issues a new token (potentially and very likely adding/transforming/removing claims) 4- user sends the transformed token to app A

The sequence from a user in A accesing the java app on B is exactly the same. Notice there's a bidirectional trust in this case (Company A trusts issuer in B and viceversa)