I was thinking more about this, and our implementation reflects what Kent mentioned. The trader client does not send the user id directly to the business service because they live in two different security domains (Trader client in the bank, and the business service in the broker), and therefore the user id in both domains does not need to be the same. The Active STS running in the broker is who should map the "user id" claim sent by the trader client application (negotiated first with the passive STS) with the user id in the broker. In the current implementation, we have the same user id in both domains, but it could be different.
Pablo. -----Original Message----- From: Nick Hauenstein [mailto:[email protected]] Sent: Thursday, December 10, 2009 8:07 PM To: [email protected] Subject: RE: StockTrader Sample Documentation Updates I guess I could see that. In a way we do have multiple front ends, in the form of the different implementations of the stocktrader client. Once M2 is ready to rock, all front-ends should be able to connect to the same back end using their own passive STS (which in a way could represent multiple banks connecting to the same services). The need for a passive STS in the client could still be justified, as the bank undoubtably has multiple web applications that would also require authentication at the same source. I have versions of the swim lane in both configurations attached to the page in question [1]. I'll wait for a few more replies before I pull another swap. - Nick Hauenstein [1] http://cwiki.apache.org/confluence/pages/viewpageattachments.action?pageId=3474855
