The right thing to do is have IDPs in each of the clusters and who deal with the trusted delegation of identities happening cross-clusters.
Meant each of the clusters have their own STS.
But the trusted delegation across clusters(which will act as realms) needs us to implement ws-federation support.
Anil, thank you for your response. Would you mind detailing a little more of the specifics on how you see WS-Federation being implemented to solve this problem?
I'm not sure we are on the same page in regards to the scope of the problem. I am specifically interested in the case where two JBoss clusters are in the same security realm. Ping Identity has a solution for this exact problem which I think will help clarify what I am asking for.
Ben, the security realm does not necessarily mean corporate boundaries. A single JBoss cluster can be thought of to be of one security domain with its own STS. There would be a STS - STS relationship among the individual clusters. This is where ws-federation would come in handy as it deals with sts - sts relationship.
Thanks Anil, I will take a closer look at using a STS in each cluster.
I would like to get your thoughts on Ping Identity's OpenToken. It appears to be a good fit for JBoss and provides a feature that many of JBoss's competitors already provide. Wondering if you see a reason why it would not be a good idea to implement something similar to achieve cross cluster SSO?
Ben, I can understand the reasoning behind the opentoken. It does exactly what ws-fed can do at a lighter scale.
Here is the ws-fed spec.
I am sure ws-fed may seem heavier but it is the standards approach.