Some thoughts to Approach this. First we have to decide on the security
abstraction layer in syncope like:
1) Wicket (as implemented now)
2) Spring Security
3) Shiro
This decision is independent of what kind of security protocol is chosen like
WS-Federation, SAML, CAS (proprietary protocol) or OpenAM (might still be
proprietary, played with the fedlet feature two years ago).
The benefit of Spring Security is that there is a plugin for WS-Federation
(Fediz) and CAS already available and that it allows to manage security on the
container level as well for customers who prefer that.
Provide access management features via Syncope.
What is exactly meant with this feature?
You also should consider oAuth for SSO
OAuth does not address SSO - only authorization. You still have to login in
both applications.
Thanks
Oli
From: Fabio Martelli [fabio.marte...@gmail.com]
Sent: 23 September 2013 15:03
To: dev@syncope.apache.org
Subject: Re: [DISCUSS] Authentication features (WAS: Release Maggiore and
authentication modules)
Il 23/09/2013 14:41, Francesco Chicchiriccò ha scritto:
Hi all,
sorry for crossposting: let's keep this discusson on dev@, so please
remove user@ from any future reply.
Thanks Francesco.
Hi all,
Starting a discussion thread in the developer sounds good.
We have to consider that there actually will be three things to
consider:
-Login to Syncope (this is where Shiro could come into play)
-SSO to Syncope
-Provide access management features via Syncope.
I would not mix things up and propose to keep discussion about the
latter out of Syncope. Probably there will be customers combining
Syncope with SSO products (e.g. CAS http://www.jasig.org/cas or
OpenAM http://openam.forgerock.org/) , but building it in to Syncope
bears the risk to lose focus.
Umm ... probably you are right. Maybe we have to narrow the set of AM
features to be provided.
In any case, if we choose to provide more AM features with CAS or
something else I'd suggest to work a lot at the integration level:
1. making integration (between Syncope and SSO product) easier and
stronger providing pieces of code written ad-hoc
2. improving centralized configurability
From my PPOV, it would be nice if a potential customer could see Apache
Syncope as a complete Identity Access Management solution.
Regards,
F.