[DISCUSS] Authentication features (WAS: Release Maggiore and authentication modules)
Hi all, sorry for crossposting: let's keep this discusson on dev@, so please remove user@ from any future reply. Rgeards. On 23/09/2013 14:22, Strunk, Wolfgang wrote: Hi all, Starting a discussion thread in the developer sounds good. We have to consider that there actually will be three things to consider: -Login to Syncope (this is where Shiro could come into play) -SSO to Syncope -Provide access management features via Syncope. I would not mix things up and propose to keep discussion about the latter out of Syncope. Probably there will be customers combining Syncope with SSO products (e.g. CAS http://www.jasig.org/cas or OpenAM http://openam.forgerock.org/) , but building it in to Syncope bears the risk to lose focus. Wolfgang -- Francesco Chicchiriccò ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member http://people.apache.org/~ilgrosso/
Re: [DISCUSS] Authentication features (WAS: Release Maggiore and authentication modules)
Il 23/09/2013 14:41, Francesco Chicchiriccò ha scritto: Hi all, sorry for crossposting: let's keep this discusson on dev@, so please remove user@ from any future reply. Thanks Francesco. Hi all, Starting a discussion thread in the developer sounds good. We have to consider that there actually will be three things to consider: -Login to Syncope (this is where Shiro could come into play) -SSO to Syncope -Provide access management features via Syncope. I would not mix things up and propose to keep discussion about the latter out of Syncope. Probably there will be customers combining Syncope with SSO products (e.g. CAS http://www.jasig.org/cas or OpenAM http://openam.forgerock.org/) , but building it in to Syncope bears the risk to lose focus. Umm ... probably you are right. Maybe we have to narrow the set of AM features to be provided. In any case, if we choose to provide more AM features with CAS or something else I'd suggest to work a lot at the integration level: 1. making integration (between Syncope and SSO product) easier and stronger providing pieces of code written ad-hoc 2. improving centralized configurability From my PPOV, it would be nice if a potential customer could see Apache Syncope as a complete Identity Access Management solution. Regards, F.
RE: [DISCUSS] Authentication features (WAS: Release Maggiore and authentication modules)
Some thoughts to Approach this. First we have to decide on the security abstraction layer in syncope like: 1) Wicket (as implemented now) 2) Spring Security 3) Shiro This decision is independent of what kind of security protocol is chosen like WS-Federation, SAML, CAS (proprietary protocol) or OpenAM (might still be proprietary, played with the fedlet feature two years ago). The benefit of Spring Security is that there is a plugin for WS-Federation (Fediz) and CAS already available and that it allows to manage security on the container level as well for customers who prefer that. Provide access management features via Syncope. What is exactly meant with this feature? You also should consider oAuth for SSO OAuth does not address SSO - only authorization. You still have to login in both applications. Thanks Oli From: Fabio Martelli [fabio.marte...@gmail.com] Sent: 23 September 2013 15:03 To: dev@syncope.apache.org Subject: Re: [DISCUSS] Authentication features (WAS: Release Maggiore and authentication modules) Il 23/09/2013 14:41, Francesco Chicchiriccò ha scritto: Hi all, sorry for crossposting: let's keep this discusson on dev@, so please remove user@ from any future reply. Thanks Francesco. Hi all, Starting a discussion thread in the developer sounds good. We have to consider that there actually will be three things to consider: -Login to Syncope (this is where Shiro could come into play) -SSO to Syncope -Provide access management features via Syncope. I would not mix things up and propose to keep discussion about the latter out of Syncope. Probably there will be customers combining Syncope with SSO products (e.g. CAS http://www.jasig.org/cas or OpenAM http://openam.forgerock.org/) , but building it in to Syncope bears the risk to lose focus. Umm ... probably you are right. Maybe we have to narrow the set of AM features to be provided. In any case, if we choose to provide more AM features with CAS or something else I'd suggest to work a lot at the integration level: 1. making integration (between Syncope and SSO product) easier and stronger providing pieces of code written ad-hoc 2. improving centralized configurability From my PPOV, it would be nice if a potential customer could see Apache Syncope as a complete Identity Access Management solution. Regards, F.
