Authn cancel from a subflow.

cneberg cneberg at gmail.com
Thu Aug 6 17:17:16 EDT 2015 

Thank you for the discussion and feedback.  I entered the feature request
https://issues.shibboleth.net/jira/browse/IDP-784

>>I agree with fine grained authorization there is no other way but to do
authorization in the SP, but for general corporate requirements doing it at
the IDP is simpler to enforce at scale, and just as important to audit at
scale.
>Most major applications have so many back doors when it comes to
integrating SSO that the audit would have to be done at the application
anyway if it was to mean anything.

I agree with those issues, but even when you've proven to yourself the
app/architecture is secure (not implying you only do this once) - someone
still needs to regularly audit that the authorization policies to ensure
they are inline with corporate policies, and corporate policies change so
its a never ending job.

On Thu, Aug 6, 2015 at 2:31 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 8/6/15, 1:32 PM, "users on behalf of cneberg" <
> users-bounces at shibboleth.net on behalf of cneberg at gmail.com> wrote:
>
>
> >
> >I assume you mean any small changes to the context tree of the flow, as
> done by my code would break the the code of the flow (which is my goal) -
> so this is the path I should take if I need authorization in the IDP?
>
> Yes, anything else would require an exhaustive security study of SWF, a
> penetration test, etc. I'm likely being very conservative in my assessment
> here but since I don't really know...
>
> >I agree with fine grained authorization there is no other way but to do
> authorization in the SP, but for general corporate requirements doing it at
> the IDP is simpler to enforce at scale, and just as important to audit at
> scale.
>
> Most major applications have so many back doors when it comes to
> integrating SSO that the audit would have to be done at the application
> anyway if it was to mean anything.
>
> >So I guess I'm asking is - could there be a blessed way for developers
> who want to implement Authorization in the IDP to do it securely?    Either
> the way you describe above - becomes the blessed way, OR some new API we
> could code to?   I could open a case if this is something you are willing
> to discuss more.
>
> If you want to request a feature for this, that's fine. I think we just
> need to implement a final gating step that prevents a response and document
> how to inform it.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150806/10cdd017/attachment.html>

More information about the users mailing list