[security-dev] PicketLink Authentication Discussions

Anil Saldhana Anil.Saldhana at redhat.com
Thu Dec 6 11:51:05 EST 2012


Hi All,

I think we should continue the other thread on "Credential API design".  
It just shows how we all agree to disagree. :)

I suggest the following:
a) IDM Subsystem should concentrate on Identity constructs 
(User,Role,Group,Attribute,Application,Tier etc) and stores (db,ldap etc).
b) Lets move authentication and credential handling to a layer above 
IDM.  Maybe PL Authentication subsystem.  We did do some implementation 
in PicketBox5 that we used password credential, otp, social, kerberos 
etc etc with one authentication logic.  We can take a look at that.
c) Lets document all the credential types and usecases we plan to 
support.  I know we want to do combined authentication, silent 
authentication, digest, salt/hash, multiple channels etc etc.

c) is going to be the most contentious piece of the puzzle that the 
industry is still not solved.  Given that authentication semantics 
compared to fine grained authorization are finite, we should have solved 
this easily.

Regards,
Anil


More information about the security-dev mailing list