Intended Audience: here's what you want to get done, here are the issuesWhat are the things that people need to get done to tackle these issues?
- Are we still at a point where we have lots of local solutions, but not enough experience to identify best practices?
What are the issues related AuthZ that are raised by federated authentication?
- Unlike traditional internal oriented applications, federated application may not be pre-provisioned with information about the users of the application. The first time a person uses the application is the first change that the application gets to learn anything about the user. The user is unlikely to appear in a local domain's LDAP directory. The privilege assignment must be done dynamically, based upon the attributes presented by the remote IdP or other third parties.
- In some cases we may not have a simple subject which can be added to groups. For example, the IdP might not be providing a unique persistent identifier to the application. It might only be providing general affiliation or entitlement information.
- How do we communicate to remote IdPs that a group of applications are cooperating applications, for which users should be presenting a single targeted-id, across each of the cooperating applications? What if the cooperating applications are hosted in different enterprises or by different universities?
Federated Use Cases should be collected here.
Reading materials: