[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [id-cloud] Comments on Identity in the Cloud PaaS Profile,Version 1.0
On 05/15/2013 06:27 AM, David Chadwick wrote:
Dear listhere are my comments on this doc. Having implemented federated identity management in OpenStack, we have some experience of this topic.1. The Authentication Services should be renamed Identification and Authentication Services with a revised definition, thus:are responsible for identifying and authenticating users to PaaS applications. Identification and authentication Services need to take into consideration that the authenticated identity may be a federated identity, and that these services may be provided by federated identity providers.2. Use Case 26. Identity impersonation.We should have no recognition or support for this feature. Impersonation is bad. full stop (since you cannot tell the difference between the real entity and an impersonator - they are the same as far as the system is concerned). What you want is delegation, so that they have the same Authz rights, but have different authenticated identities. Then you can do a proper audit. So strike out identity impersonation.
David - the usecase is when cloud support team wants to debug issues, an user is facing with the PaaS. I am unsure delegation works for this use case.
3. There are other challenges for section 4. Namely A. Trust managementThe trust that a cloud service has in the identification, authentication and authorisation capabilities of a federated identity provider need to be managed and controlledB. Identity MappingThere is a need to be able to map between the identity asserted by a federated identity provider and the authorised identity(ies) recognised by the cloud applications.C. 4.2 should be renamed User Provisioning regards David ---------------------------------------------------------------------To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]