directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Carlo.Acco...@ibs-ag.com>
Subject RE: Claims based authentication with ApacheDS
Date Wed, 28 Oct 2015 13:09:14 GMT
Kiran, Pierre, Stefan and Sergey - thanks for your helpful input!! 

-----Original Message-----
From: Kiran Ayyagari [mailto:kayyagari@apache.org] 
Sent: Tuesday, October 27, 2015 10:43 PM
To: users@directory.apache.org
Subject: Re: Claims based authentication with ApacheDS

Hi Carlo,

On Tue, Oct 27, 2015 at 11:16 PM, <Carlo.Accorsi@ibs-ag.com> wrote:

> Hi,
>
> We're starting to hear our customers ask for 'claims based authentication'
> with our product which back end with  ApacheDS.
>
the claims can come in many formats, SAML and JWT being two well known structures

> I've researched it a bit and it's clearly beyond the goals of an LDAP 
> server.
>
yes, indeed

> My question is, are any of you trying to implement something like 
> this? If so, what is the stack you're using?
>
in web-SSO environments the Identity Provider(a.k.a IdP) can do this task of authenticating
users based on the tokens and for this to work a trust relationship needs to be established
between the client app and the IdP

> What are challenges, benefits, risks?
>
> challenges: 1. need to deal with more than one token format (SAML, JWT
etc)
                   2. managing the certificates, though majority of these are self-signed(no
_need_
                       for CA signed certs) they still need to be managed

benefits: more ways to authenticate than simple username and password combo

I don't see any risks with this approach other than a bit of complexity in implementing

Thanks,
> Carlo Accorsi
>
>
>
>
>


--
Kiran Ayyagari
http://keydap.com
Mime
View raw message