• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

SAML. Very need practical advices ?

 
Ranch Hand
Posts: 120
IntelliJ IDE Hibernate Spring
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have read some articles about SAML and found it complex
If I got what I read then to implement SAML you need
some assertion authority (AA) server accessable by all servers in your domain. This AA server provides to all servers information about current rights and permisson of some user(object) in your domain. If some server has auhenticated some user it should notice AA about the fact of authentication But it from my point of view should add digital signature to the message because other way AA could not trust to this information.
When some server in the domain requires information about the user initiated the request he can access the AA in order to get information about rights and permissions. If user has been already authenticated by some server in your domain then other server should take for granted that user is part of the domain.
Correct me If I am wrong
Everything is looking fine but it does not solve problems
1. If some malefactor sent forged request to some server in the domain using id of the authenticated user we have no chances to verify a user identity. Ok we have assertion that this user was authenticated but how to check that this particular message came from the user but not from somebody else. Assertion itself does not help me to do it.
2. Case when I redirect request from one server to another is also confusing me. What is a redirection when we speak about WS ? How can I change original
user message if it was signed by digital signature in order to add some
assertion reference to it. If I want to create a new message and send it again. I don't need any assertion reference. I just create a new message, sign it by my digital signature and send it to the destination server.
3. Assume that some user is sending successive requests to different servers in the domain. I am not sure that there is a way to attach some security assertion to its message - everything should be coded by a developer. Even if we can get from authentification server some assertion reference and then attach it to the message , server could not relay on it because message with assertion could came from anywhere and there is no warranty that the user is the person it claims it is.
But probably somebody tried SAML in production and can provide some practical recomendation that can clear these obstacles?
 
Without subsidies, chem-ag food costs four times more than organic. Or this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic