[security-dev] Entitlement versus Enforcement Model
Bill Burke
bburke at redhat.com
Wed Nov 7 15:44:54 EST 2012
On 11/7/2012 3:28 PM, Anil Saldhana wrote:
>
> On 11/07/2012 01:21 PM, Bill Burke wrote:
>> I'm working on prototype/protocol that combines client-cert and signed
>> tokens.
>>
>> Token is signed by the IDP and contains:
>> * user identity
>> * roles/permissions
>> * expiration/timestamp
> Bill, this translates to a SAML Response from an IDP that contains
> Authentication Statement (who the user is, who issued the assertion,
> public key of the IDP etc) and attribute Statements (roles/permissions
> can be viewed as attributes an identity has).
> If we can somehow translate this entire thing into a JSON construct, it
> will be lightweight and cool.
>
Translating all the verbose nonsense contained in SAML documents to the
much simpler domain of Java EE role-based model is something you'll have
to do anyways. You probably have *already* it. :)
What I want to see happen is ditching SAML entirely for a very tight
token format that is as small as possible. If you follow this route,
you can include signed tokens within URLs (Will work great with OAuth2).
SAML documents are just WAY too big for these types of redirection
protocols.
IMO, SAML is ridiculous. All the metadata a service needs in an
authenticated request is really userid, permission metadata, and maybe a
URL that references the full information about that user. If the
service wants information like first/last name, email, etc., it can
query this URL and negotiate the desired format using HTTP.
To integrate with existing SAML based solutions, is there any reason an
IDM Proxy couldn't be written that is a bridge between this simple token
protocol and the SAML-based third-party?
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list