Subject Re: VO challenges - article
From Mike Schwartz <mike@xxxxxxxx>
Date Thu, 22 Oct 2015 09:39:58 -0500

In the enterprise space, authn and authz have always been bundled (i.e. Siteminder, Oracle Access Manager, IBM Tivoli Access Manager, RSA Cleartrust, Sun Access Manager, etc...). This is the reason we spent so much time implementing UMA at Gluu--it provides the centralized PDP and PEP architecture using open standards, for both Web and native applications.

Centralizing access management is not the answer to life the universe and everything--you'll still need fine grain authz in the apps. But consolidation saves money. And in fact, trust elevation--an essential part of authentication--is itself an authorization policy. For example, when you access this resource, you need to be more strongly identified.

- Mike

On 2015-10-22 09:32, Keith Hazelton wrote:
Have to say I agree with Scott’s point:  If the sole use of a campus
IdP by VOs is for authentication and credential management, other
solutions will drive those IdPs out of the federated VO space.

email & jabber: keith.hazelton@xxxxxxxx

On 2015-10-22, 09:17 , "Cantor, Scott" <cantor.2@xxxxxxx> wrote:

On 10/22/15, 6:57 AM, "David Chadwick" <d.w.chadwick@xxxxxxxxxx> wrote:

But isn't this a protocol issue? The SP can demand this in the request
cant it? (certainly in our Shib implementation we can ask for either
persistent or transient and both work)

I can demand a pony, that doesn't mean I'll get one.

My own opinion is that once you give up on using federation for authorization data, it's inevitable that authentication will follow.

If the IdPs don't want to be in the buisiness of helping with access management for the applications using their service, then they won't have a service to worry about within a short span of time.

-- Scott

Michael Schwartz
Founder / CEO