Kiran, Pierre, Stefan and Sergey - thanks for your helpful input!! -----Original Message----- From: Kiran Ayyagari [mailto:[email protected]] Sent: Tuesday, October 27, 2015 10:43 PM To: [email protected] Subject: Re: Claims based authentication with ApacheDS
Hi Carlo, On Tue, Oct 27, 2015 at 11:16 PM, <[email protected]> wrote: > Hi, > > We're starting to hear our customers ask for 'claims based authentication' > with our product which back end with ApacheDS. > the claims can come in many formats, SAML and JWT being two well known structures > I've researched it a bit and it's clearly beyond the goals of an LDAP > server. > yes, indeed > My question is, are any of you trying to implement something like > this? If so, what is the stack you're using? > in web-SSO environments the Identity Provider(a.k.a IdP) can do this task of authenticating users based on the tokens and for this to work a trust relationship needs to be established between the client app and the IdP > What are challenges, benefits, risks? > > challenges: 1. need to deal with more than one token format (SAML, JWT etc) 2. managing the certificates, though majority of these are self-signed(no _need_ for CA signed certs) they still need to be managed benefits: more ways to authenticate than simple username and password combo I don't see any risks with this approach other than a bit of complexity in implementing Thanks, > Carlo Accorsi > > > > > -- Kiran Ayyagari http://keydap.com
