[security-dev] PicketLink Authentication Discussions
Anil.Saldhana at redhat.com
Thu Dec 6 11:51:05 EST 2012
I think we should continue the other thread on "Credential API design".
It just shows how we all agree to disagree. :)
I suggest the following:
a) IDM Subsystem should concentrate on Identity constructs
(User,Role,Group,Attribute,Application,Tier etc) and stores (db,ldap etc).
b) Lets move authentication and credential handling to a layer above
IDM. Maybe PL Authentication subsystem. We did do some implementation
in PicketBox5 that we used password credential, otp, social, kerberos
etc etc with one authentication logic. We can take a look at that.
c) Lets document all the credential types and usecases we plan to
support. I know we want to do combined authentication, silent
authentication, digest, salt/hash, multiple channels etc etc.
c) is going to be the most contentious piece of the puzzle that the
industry is still not solved. Given that authentication semantics
compared to fine grained authorization are finite, we should have solved
More information about the security-dev