<[email protected]> wrote: <snip> >Nothing I've heard thus far has made me think that this is an >inherently bad idea, I suppose what I need is help in accomplishing it >(and preferably accomplish it in Mozilla - our application is quite >AJAXy and the Javascript speedup in Firefox 3.1 is a godsend)
Since I don't have a map over your system, I can only do what Ian G did (reading between the lines), and unfortunately I come to the conclusion that your scheme indeed may be a bit flawed. Please note that this may be due to lack of information!!! So how should it be then? Users (maybe also machines) authenticate to a local AD or similar using whatever mechanism the actual organization can support. This is based on the assumption that users (employees) are locally known etc. After successful authentication the result is a SAML assertion redirecting to the application (cloud service?). What's the point with that you may wonder? Administration becomes a breeze and you may also have different authentication schemes in different places. The latter may seem bad but if banks have plotted with the idea that all clients should have the same security solution, we wouldn't be able to send money from bank A to bank B. That's the true power of federation versus an all-mighty directory that is always filled wth incorrect information. I would also not completely overlook the fact that maybe 75% of all EU banks use some kind of OTP solution for their on-line services. OTP sure has warts but it doesn't require middleware and card-readers. Anders -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
