OpenSAML user discussion

["Scott Cantor" <>]

> So,  I have a basic question then.  When many gateways like
> DataPower's XS40, F5 Networks or Juniper's SSL/VPN or someother XML
> Firewall/Gateway or SSL/VPN vendor says that they have integrated
> their appliance with a Netegrity Siteminder or Tivoli Access Manager,
> what are they talking about?  These are also gateways- aren't they
> passing tokens around?

Dunno, I'm assuming they mean that they accept SAML SSO as an authentication
mechanism, not that they issue SAML in turn to something else. That assumes
that by "integrated with X" they even did it with SAML. I would guess other
options for doing that might exist with many products.

In terms of interoperating with those products using SAML, there's not
really a wealth of profiles to choose from. SAML 1.1 profiles basically do
browser SSO and a few stand-alone back-channel things. They could maybe use
queries to get SAML assertions and then do something with them, but the sum
total of those interactions isn't standardized.

But a common gateway approach I'm sure is that the SAML product
authenticates a user to the Gateway using the SAML SSO profiles they both
implement, and then the gateway does something else to do whatever it is
that it's designed to do. The SAML piece is to enable you to federate access
to the gateway, after which it probably maps that identity to some kind of
policy that would determine what the user could do.

But I'm totally speculating, so I'll shut up now.

-- Scott