OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Saml idp in java servlet filter?

On Sun, Dec 28, 2008 at 2:31 PM, Morgan Packard
<hellomorganpackard@gmail.com> wrote:
> In this case, what does my "application's security domain" mean?

It means that the identity provider is deployed "close to" the
application, such that trust and policy issues are minimized.  To
understand what is meant by "the same security domain," it is perhaps
easiest to imagine its absence.  If you were to join a SAML federation
(sometimes referred to as a "circle of trust"), all sorts of trust and
policy issues arise.  Most importantly, what are the keys and
endpoints of the entities you choose to trust?  Will you use SAML
metadata or some other mechanism to facilitate the use of trusted keys
and endpoints?  Once the basic trust mechanisms are in place, there
are numerous policy issues involving identifiers and attributes that
must be addressed on an entity-by-entity basis.  It's no small task
setting up a federation.

Since you're just starting out, you don't want to have to deal with
all that right now ;-)  You simply want to prepare your application
for federated identity, so you set up your own IdP (or leverage an
existing IdP set up specifically for this purpose) and retool your
application to consume SAML identity asserted by that IdP instead of
authenticating your users directly.  That's the first step.

> The
> built-in security/authentication components of the app server?

No, you basically want to ignore the built-in security capability of
your app server.  That's where you tend to get locked into a
particular solution or vendor.  Instead you protect your application
with a SAML service provider and provide access to users based on the
SAML assertions they present to you.  As a result, your application
need not manage credentials (i.e., usernames/passwords) to provide
access to users.  Instead your application trusts a separate entity
(the SAML identity provider) to authenticate users, manage
credentials, and issue assertions.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]