Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy based access control for SAML IdP #89

Closed
tsujiguchitky opened this issue May 13, 2019 · 0 comments
Closed

Policy based access control for SAML IdP #89

tsujiguchitky opened this issue May 13, 2019 · 0 comments
Assignees
@Iwakata
Milestone
OpenAM 14.0.0

Comments

@tsujiguchitky
Copy link
Contributor

Description

When OpenAM works as SAML IdP, authorization is delegated to SP. By default, if authentication is complete, an assertion is issued to the SP.

There are several problems with this behavior.

  • If there is a requirement for different authentication for each SP, the feasibility depends on the SP specification (such as whether the authentication context class can be changed)
  • Behavior is not managed by IdP side because it depends on SP
  • If you have a mixture of SAML SPs and agent-protected applications that require multi-factor authentication, the difference in mechanism may require re-authentication. (The SAML SP handles OTP in the authentication chain, and the agent does OTP in session upgrade. )

Solution

Add policy based access control for SAML IdP.

When OpenAM processes a SAML authentication request, it checks the policy. Then It decides whether to issue an assertion, reject the request, or require additional authentication.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Iwakata Iwakata

Labels
None yet
Projects
None yet
Milestone
OpenAM 14.0.0
Development

No branches or pull requests
2 participants
@tsujiguchitky @Iwakata