[security-dev] Entitlement versus Enforcement Model

Bill Burke bburke at redhat.com
Wed Nov 7 15:44:54 EST 2012

On 11/7/2012 3:28 PM, Anil Saldhana wrote:
> On 11/07/2012 01:21 PM, Bill Burke wrote:
>> I'm working on prototype/protocol that combines client-cert and signed
>> tokens.
>> Token is signed by the IDP and contains:
>> * user identity
>> * roles/permissions
>> * expiration/timestamp
> Bill,  this translates to a SAML Response from an IDP that contains
> Authentication Statement (who the user is, who issued the assertion,
> public key of the IDP etc) and attribute Statements (roles/permissions
> can be viewed as attributes an identity has).
> If we can somehow translate this entire thing into a JSON construct, it
> will be lightweight and cool.

Translating all the verbose nonsense contained in SAML documents to the 
much simpler domain of Java EE role-based model is something you'll have 
to do anyways.  You probably have *already* it. :)

What I want to see happen is ditching SAML entirely for a very tight 
token format that is as small as possible.  If you follow this route, 
you can include signed tokens within URLs (Will work great with OAuth2). 
  SAML documents are just WAY too big for these types of redirection 

IMO, SAML is ridiculous.  All the metadata a service needs in an 
authenticated request is really userid, permission metadata, and maybe a 
URL that references the full information about that user.  If the 
service wants information like first/last name, email, etc., it can 
query this URL and negotiate the desired format using HTTP.

To integrate with existing SAML based solutions, is there any reason an 
IDM Proxy couldn't be written that is a bridge between this simple token 
protocol and the SAML-based third-party?


Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list