RE: [security-services] Credentials collection proposal

[Hal Lockhart <hal.lockhart@entegrity.com>]

Title: Credentials collection proposal

Mike,

 

I don't know if you have developed usecases for this proposal.

 

On reflection, this proposal does not appear to support what I consider to be the "bread and butter" use  case. In this usecase, a pool of web or application servers communicate with browsers via HTTP or HTTPS. these servers, in turn communicate with a small number of central servers which have access to one or more repositories containing user information including passwords. The web or application servers act as credentials collectors, either collecting passwords via HTTP basic auth or form post or by terminating SSL/TLS links with client certs (other AuthN methods may be supported as well). The web/app servers act as PEPs and perhaps PDPs. The central servers act as AuthN Authorities, Attribute Authorities and perhaps PDPs.

 

This is the configuration of most WAM products, including, I believe Entrust's. In this environment, is is not satisfactory to require each web/app server to access the multiple repositories to verify passwords, which is what I understand your proposal to require.

 

Please tell me how I have misunderstood you ability to support this usecase or how in fact it can be supported.

 

Regards,

 

Hal

-----Original Message-----
From: Mike Just [mailto:Mike.Just@entrust.com]
Sent: Friday, September 13, 2002 5:04 PM
To: 'security-services@lists.oasis-open.org'
Subject: [security-services] Credentials collection proposal

As promised, here's a short (just 3 1/2 pages) proposal for incorporating credentials collection (i.e. a *new* authentication request) into SAML 2.0.  We can discuss on the conference call on Tuesday.

Cheers,
Mike

P.S. Apologies if the schema I've included is horribly incorrect.