[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Comments on Identity in the Cloud PaaS Profile,Version 1.0
Dear listhere are my comments on this doc. Having implemented federated identity management in OpenStack, we have some experience of this topic.
1. The Authentication Services should be renamed Identification and Authentication Services with a revised definition, thus:
are responsible for identifying and authenticating users to PaaS applications. Identification and authentication Services need to take into consideration that the authenticated identity may be a federated identity, and that these services may be provided by federated identity providers.
2. Use Case 26. Identity impersonation.We should have no recognition or support for this feature. Impersonation is bad. full stop (since you cannot tell the difference between the real entity and an impersonator - they are the same as far as the system is concerned). What you want is delegation, so that they have the same Authz rights, but have different authenticated identities. Then you can do a proper audit. So strike out identity impersonation.
3. There are other challenges for section 4. Namely A. Trust managementThe trust that a cloud service has in the identification, authentication and authorisation capabilities of a federated identity provider need to be managed and controlled
B. Identity MappingThere is a need to be able to map between the identity asserted by a federated identity provider and the authorised identity(ies) recognised by the cloud applications.
C. 4.2 should be renamed User Provisioning regards David
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]