SSO authentication for REST API calls

Cantor, Scott cantor.2 at
Wed May 4 11:03:08 EDT 2016

> Scott, you triggred my curiosity, can I ask for a brief summary (or the general
> idea) of what was implemented ?

It's documented in generally unreadable fashion in [1]. It's "just" recursive ECP to implement delegation. The recursive call to the IdP was over-engineered because of WS-* at the time and I'd do it more simply today, but it's largely moot.

When and if we do OAuth, it will not be bearer based though, at least not the interaction with the IDP. That's inexcusable for a server-side security flow.
-- Scott


More information about the users mailing list