Re: [security-dev] Entitlement versus Enforcement Model

On 11/7/2012 3:28 PM, Anil Saldhana wrote: > On 11/07/2012 01:21 PM, Bill Burke wrote: >> I'm working on prototype/protocol that combines client-cert and signed >> tokens. >> >> Token is signed by the IDP and contains: >> * user identity >> * roles/permissions >> * expiration/timestamp > Bill, this translates to a SAML Response from an IDP that contains > Authentication Statement (who the user is, who issued the assertion, > public key of the IDP etc) and attribute Statements (roles/permissions > can be viewed as attributes an identity has). > If we can somehow translate this entire thing into a JSON construct, it > will be lightweight and cool. > Translating all the verbose nonsense contained in SAML documents to the much simpler domain of Java EE role-based model is something you'll have to do anyways. You probably have *already* it. :) What I want to see happen is ditching SAML entirely for a very tight token format that is as small as possible. If you follow this route, you can include signed tokens within URLs (Will work great with OAuth2). SAML documents are just WAY too big for these types of redirection protocols. IMO, SAML is ridiculous. All the metadata a service needs in an authenticated request is really userid, permission metadata, and maybe a URL that references the full information about that user. If the service wants information like first/last name, email, etc., it can query this URL and negotiate the desired format using HTTP.

To integrate with existing SAML based solutions, is there any reason an IDM Proxy couldn't be written that is a bridge between this simple token protocol and the SAML-based third-party? Bill