[security-dev] PicketLink Capabilities - Authentication

[Darran Lofthouse]

Hello all,

Just looking at how I could make use of PicketLink withing AS7 and have 
a couple of questions.

For Digest based authentication mechanisms I see there is some initial 
support but I have a couple more requirements I will raise separately.

The next area I am looking into is SSL and Client Cert style 
authentication - a couple of things I am interested in here is - is 
there a capability to take a certificate, validate it and then return 
the identity of the user from that certificate?  i.e. I am not looking 
to load the user first and then validate the certificate.

Secondly in this area could it be conceivable to implement a 
X509TrustStore that is backed by PicketLink?  If we could obtain all 
validate certificates or the certificate of a CA we could create 
somethign in advance but I am interested in if we could have something 
more dynamic.

Following on from this I have one more case that I am not sure if it 
would fit within an IDM or if we would handle it outside first and only 
access the IDM once we have verified the user and that is GSSAPI/SPNEGO 
style authentication.  In this case we receive one or more tokens from a 
user and send one or more challenges back to the user - at the end of 
this authentication process we know the identity of the user.

Also interested in knowing if anyone else has other authentication 
scenarios identified where all we may have is the 'Credential' and the 
user is not identified until after this has been verified.

Regards,
Darran Lofthouse.