Use cases: Login into Geronimo directly; Client authenticates to external
server and then presents authentication evidence (authentication assertion)
to geronimo.
I'd like to have very simple login-service api:
LoginService {
JaasSessionId login(String security-realm-name, CallbackHandler
cbh);
void logout(JaasSessionId id);
Subject getSubject(JaasSessionId id);
}
Then there should be special login module that calls login-service api using
jaas; (Stripped down version of the jaas-login-coordinator). SecurityRealm
will be wired with LoginModules. (Same as now). Security realm will enforce
it's authentication semantics; Security realm will always wrap principals
with domain-principals and realm-principals; Delegating principals will be
instantiated as well for protocols that support delegation;
I'd like to support basic browser profiles for saml 1.1 where authentication
is done by assertion: user authenticates to external service and then
partner site presents authentication assertion.
I think that authentication by assertion is going to work for csiv2 as
well...
Thoughts?
Simon
