Axton
The problem with SAML is that it isn't quite "a standard". I thought it
would be easy to pick up an open source SAML Service Provider library
and plug it into SSO Plugin. Three weeks later, we'd pretty much written
our own implementation because even the open source libraries were a
little complicated, ie tied to JBoss, or coupled with masses of
enterprise "stuff" that's completely irrelevant to Mid Tier / AR System.
For example, why would we need a SAML Identity Provider for Mid Tier?
It's a service, not an Identity Provider. Microsoft ADFS or Ping
Federate are perfectly sufficient Identity Providers.
Yet, OpenAM and hence AtriumSSO has an Identity Provider implementation.
This adds more complication, weight and debugging effort to the product.
It's luggage BMC can't eject, because they are re-badging OpenAM, and
hence it's carried to each deployment of AtriumSSO.
I've heard BMC are running hacked versions of OpenAM/AtriumSSO for the
BMC OnDemand service, because it required 'bending' to make it integrate
with customer Identity Provider implementations. The cost to BMC of such
an approach is crazy: two instances of the same product, working
differently!
For example, Juniper network devices only support a single target URL,
ie you can only configure access to /arsys/home or /arsys/forms/*, not
both), so a 'single entry point' for Mid Tier is required, ie
/arsys/jss-sso/saml/authenticate, which automatically redirects to the
user's requested entry point (which isn't how Mid Tier works).
For example, I believe Symphony Identity Management requires a funny
POST URL to the IDP, ie http://idp/?RelayState=http://midtier/arsys/home
- clearly, you don't pass a GET request when making a POST request
(where the RelayState parameter should be passed in the form).
For example, AtriumSSO does not support multi-tenant single-sign on, ie
multiple different customers sharing the same Mid Tier instance. Even
with an 'enterprise' solution bolted into the architecture, it still
can't deal with two SAML configurations. Which I find a little odd
because OpenAM is supposed to support this through the use of Realms :)
John
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
"Where the Answers Are, and have been for 20 years"
