Authn cancel from a subflow.

[Cantor, Scott]

On 8/6/15, 1:32 PM, "users on behalf of cneberg" <users-bounces at shibboleth.net on behalf of cneberg at gmail.com> wrote:


>
>I assume you mean any small changes to the context tree of the flow, as done by my code would break the the code of the flow (which is my goal) - so this is the path I should take if I need authorization in the IDP?

Yes, anything else would require an exhaustive security study of SWF, a penetration test, etc. I'm likely being very conservative in my assessment here but since I don't really know...

>I agree with fine grained authorization there is no other way but to do authorization in the SP, but for general corporate requirements doing it at the IDP is simpler to enforce at scale, and just as important to audit at scale.

Most major applications have so many back doors when it comes to integrating SSO that the audit would have to be done at the application anyway if it was to mean anything.

>So I guess I'm asking is - could there be a blessed way for developers who want to implement Authorization in the IDP to do it securely?    Either the way you describe above - becomes the blessed way, OR some new API we could code to?   I could open a case if this is something you are willing to discuss more.

If you want to request a feature for this, that's fine. I think we just need to implement a final gating step that prevents a response and document how to inform it.

-- Scott