-
1. Re: descentralized identity Federation component
anil.saldhana Mar 9, 2009 5:33 PM (in response to aamonten)It is just one of the use cases possible.
It should be pretty straight forward to implement this use case as a valve/servlet filter and tie it with the container security.
The question would be what trust information gets associated with the user name that floated in? Maybe the digital signature of the sender with whom the IDP has trust relationship..... -
2. Re: descentralized identity Federation component
anil.saldhana Mar 9, 2009 5:34 PM (in response to aamonten)Alejandro, I would suggest filing a Feature Request JIRA on this with information/use case etc.
-
3. Re: descentralized identity Federation component
aamonten Mar 11, 2009 10:54 AM (in response to aamonten)I was reading about the SAMLv2 spec, and found this definition:
Pseudonyms - SAML V2.0 defines how an opaque pseudo-random identifier with no discernible correspondence with meaningful identifiers (for example, emails or account
names) can be used between providers to represent principals. Pseudonyms are a key
privacy-enabling technology because they inhibit collusion between multiple providers (as
would be possible with a global identifier such as an email address),
I believe this will solve the issue. Should just discuss the implementation specific details.
I will add a feature request at the JIRA.
thanks -
4. Re: descentralized identity Federation component
aamonten Mar 11, 2009 2:44 PM (in response to aamonten)"anil.saldhana@jboss.com" wrote:
It is just one of the use cases possible.
It should be pretty straight forward to implement this use case as a valve/servlet filter and tie it with the container security.
The question would be what trust information gets associated with the user name that floated in? Maybe the digital signature of the sender with whom the IDP has trust relationship.....
I'm more concerned about the user identifier, SP-1 could have use the username identifier while SP-2 could use the email as the identifier then there is a problem by matching the identifiers.
Does any know if there are a standard for these? I have been looking at the "Name identifier Management Profile" but not sure if it's the adequate, as I see it to open and want avoid creating something none standard.
Maybe a kind of alias service that manage the mappings of ids related to unique identifier... -
5. Re: descentralized identity Federation component
anil.saldhana Mar 11, 2009 3:09 PM (in response to aamonten)The metadata profile would be the place to look for these. MD defines what information gets agreed between two parties. I will have to do some MD work next .
The Pseudonym is when you get into a different domain than yours and you need to be provided access on a temporary or a prolonged basis. An example, you are a member of your local library. Your local library knows you as "AM". But when you try to browse stuff in your neighboring library who does not know you but know yours library and trusts it, they will let you in under a pseudonym. Pseudonym was also created to maintain privacy. -
6. Re: descentralized identity Federation component
aamonten Mar 11, 2009 3:19 PM (in response to aamonten)Thanks for the clarifications, I think both are interesting issues that should be implemented. Will create the appropriate feature request at jira.
-
7. Re: descentralized identity Federation component
anil.saldhana Mar 17, 2009 12:26 PM (in response to aamonten)Support for pseudonyms were added to the IDM layer as part of https://jira.jboss.org/jira/browse/JBID-29