What are the issues related AuthZ that are raised by federated authentication?
- Unlike traditional internal oriented applications, federated application may not be pre-provisioned with information about the users of the application. The first time a person uses the application is the first change that the application gets to learn anything about the user. The user is unlikely to appear in a local domain's LDAP directory. The privilege assignment must be done dynamically, based upon the attributes presented by the remote IdP or other third parties.
- In some cases we may not have a simple subject which can be added to groups. For example, the IdP might not be providing a unique persistent identifier to the application. It might only be providing general affiliation or entitlement information.
What are the things that people need to get done to tackle these issues?
Federated Use Cases should be collected here.