[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Saml idp in java servlet filter?
On Sun, Dec 28, 2008 at 2:31 PM, Morgan Packard <hellomorganpackard@gmail.com> wrote: > > In this case, what does my "application's security domain" mean? It means that the identity provider is deployed "close to" the application, such that trust and policy issues are minimized. To understand what is meant by "the same security domain," it is perhaps easiest to imagine its absence. If you were to join a SAML federation (sometimes referred to as a "circle of trust"), all sorts of trust and policy issues arise. Most importantly, what are the keys and endpoints of the entities you choose to trust? Will you use SAML metadata or some other mechanism to facilitate the use of trusted keys and endpoints? Once the basic trust mechanisms are in place, there are numerous policy issues involving identifiers and attributes that must be addressed on an entity-by-entity basis. It's no small task setting up a federation. Since you're just starting out, you don't want to have to deal with all that right now ;-) You simply want to prepare your application for federated identity, so you set up your own IdP (or leverage an existing IdP set up specifically for this purpose) and retool your application to consume SAML identity asserted by that IdP instead of authenticating your users directly. That's the first step. > The > built-in security/authentication components of the app server? No, you basically want to ignore the built-in security capability of your app server. That's where you tend to get locked into a particular solution or vendor. Instead you protect your application with a SAML service provider and provide access to users based on the SAML assertions they present to you. As a result, your application need not manage credentials (i.e., usernames/passwords) to provide access to users. Instead your application trusts a separate entity (the SAML identity provider) to authenticate users, manage credentials, and issue assertions. HTH, Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]