OpenSAML user discussion

[Smith Baylor <>]

So,  I have a basic question then.  When many gateways like
DataPower's XS40, F5 Networks or Juniper's SSL/VPN or someother XML
Firewall/Gateway or SSL/VPN vendor says that they have integrated
their appliance with a Netegrity Siteminder or Tivoli Access Manager,
what are they talking about?  These are also gateways- aren't they
passing tokens around?

Thanks

Smith

On Thu, 5 Aug 2004 17:20:16 -0400, Scott Cantor 
<>
 wrote:
> > All that I want to do is provide a way to use the same SSO server for
> > authenticating a user at the gateway and later use the same token
> > within a Web or App Server so that I don't have to reauthenticate the
> > person.
> 
> If the back-end server is a web server interacting directly with the client,
> then what's the gateway doing?
> 
> If you can deploy the SAML SSO profile on the back-end, the gateway doesn't
> need to be there.
> 
> If you can't, then you aren't doing SAML at that end, so you could
> authenticate to the gateway with SAML, and then do whatever it is that the
> back-end understands by having the gateway translate that credential into
> something else.
> 
> That's in fact how a lot of the SAML products tend to work, from what I
> understand. They funnel the SAML SSO to one spot and then do something
> proprietary between there and the apps.
> 
> Also, "reauthentication" and "use the same token" are orthogonal. SAML SSO
> is point to point (the token in 1.1 is service-specific can't be reused) but
> that doesn't mean the user is authenticating over and over, at least not
> visibly. The authn authority maintains a session and just issues new tokens
> for each subsequent service.
> 
> -- Scott
> 
>