[security-dev] IDM Realms and Applications - The Nitty Gritty
Shane Bryzak
sbryzak at redhat.com
Tue Nov 13 22:04:08 EST 2012
On 11/14/2012 12:24 PM, David M. Lloyd wrote:
> I'm not sure I understand the rationale of the relationship between
> realms and applications.
>
> To me the concept of a "realm" in terms of identity management relates
> more to segregating users into groups based on organizational and
> technological realities. For example, if I am hosting a multi-tenant
> application I might have a realm for each of my customers (but only one
> or a few application(s)). For another example, I might have a realm for
> application authentication (i.e. regular users), a realm for
> computer-to-computer authentication (might be identified by public key
> or certificate or some other atypical principal type), and a realm for
> administration, all of which are utilized by one or a few application(s).
That's a good point and a valid use case that I thought I had taken into
consideration, however thinking about it a little deeper there are some
nuances of the design that have question marks over them. Let me think
about it a little more and I'll get back to you.
>
> Unless I'm grossly misunderstanding the concepts (a very real
> possibility), it seems like applications should be decoupled from realms
> completely.
Possibly, and while it's relatively clear that Users would remain within
the Realm and Roles would remain defined by the Application, I'm not
quite sure where Groups would fit in. My first instinct is to keep them
in the Realm also, although I'm not 100% sure... time for some mulling I
think.
More information about the security-dev
mailing list