OpenSAML user discussion

["Scott Cantor" <>]

> All that I want to do is provide a way to use the same SSO server for
> authenticating a user at the gateway and later use the same token
> within a Web or App Server so that I don't have to reauthenticate the
> person.

If the back-end server is a web server interacting directly with the client,
then what's the gateway doing?

If you can deploy the SAML SSO profile on the back-end, the gateway doesn't
need to be there.

If you can't, then you aren't doing SAML at that end, so you could
authenticate to the gateway with SAML, and then do whatever it is that the
back-end understands by having the gateway translate that credential into
something else.

That's in fact how a lot of the SAML products tend to work, from what I
understand. They funnel the SAML SSO to one spot and then do something
proprietary between there and the apps.

Also, "reauthentication" and "use the same token" are orthogonal. SAML SSO
is point to point (the token in 1.1 is service-specific can't be reused) but
that doesn't mean the user is authenticating over and over, at least not
visibly. The authn authority maintains a session and just issues new tokens
for each subsequent service.

-- Scott