SAML Secure Attribute Exchange

This topic contains 3 replies, has 4 voices, and was last updated by  mreines 2 months, 1 week ago.

  • Author
    Posts
  • #8782
     dave74 
    Participant

    Hi,

    We know that we can achieve SAML Virtual Federation through “Secure Attribute Exchange” (SAE)

    When IDP-side legacy application authenticates the user and sends the attributes including the userID to the local-OpenAM (who will eventually forward it to the SP-side OpenAM where SP-side legacy application is running)

    I would like to know,

    #1 Will local-IDP-OpenAM configured with SAML SAE re-authenticate the user ?

    #2 The IDP-federated-session prepared in local-idp would anyway be different than the standard SSO session ?

    #3 How would IDP acting as SAML-gateway map the incoming user in the SAE with the PRINCIPAL in its userstore.
    I believe SAE Authentication Module will assert the incoming user but there is no more configuration of this module. So I would like to know what is the default behavior to map the userID with userstore.

    Thanks.

    #8827
     Peter Major 
    Moderator

    SAE is a legacy feature of OpenAM and I really hope it can be killed with time. I’m just not sure if setting up SAE with your applications is the most forward-looking approach.

    #10481
     inetquestion 
    Participant

    Experienced a problem with SAE and time drift between two servers this morning… I wasn’t aware SAE had any binding to time since we used symmetric encryption. Apparently it does because the drift was over 8 minutes, and as soon as drift was corrected, SAE started working. Deducing this was difficult because the only message we found was: “errcode=4,verifyEncodedStringFailed”… Perhaps obvious to some, but wasn’t to me. :)

    Are there any settings related to skew time for SAE? Not planning to change them, just curious what the limits are.

    #23155
     mreines 
    Participant

    I have a concern on the comment about SAE being a Legacy feature of AM. Has it been replaced? What would be a more forward looking approach to a Virtual Federation (Remote IdP and Remote SP – but utilize AM for Cookie/Token once Authenticated)

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?