Where do you get those pesky user claims ? - PowerPoint PPT Presentation

About This Presentation
Title:

Where do you get those pesky user claims ?

Description:

The use case is similar to a portal, where it would be confusing to prompt the person to approve a backend component.Centralized access control allows an organization to make policies about who can access what resources. – PowerPoint PPT presentation

Number of Views:18

less

Transcript and Presenter's Notes

Title: Where do you get those pesky user claims ?


1
Where do you get those pesky user
claims?
  • Gluu is using this approach where SAML is
    required for authentication, but UMA is required
    for Web access management. This implies that the
    UMA Authorization Server, acting as the policy
    decision point (PDP), knows information about
    the person. For example, role (admin, manager,
    etc) and group membership are frequently used by
    organizations for entitlements management. As is
    frequently the case, getting user claims is
    easier said than done. There are a few
    approaches.
  •  
  • In the first, the AS is just like any other
    backend OpenID Connect application. To get user
    claims, it needs to register as an OpenID Connect
    client at the persons home OP and request an
    access token to retrieve the id_token. In OX,
    there is a feature to Pre-authorize a specific
    client. This may be an appropriate strategy if
    you dont want to prompt the user to authorize
    the request by the AS. The use case is similar to
    a portal, where it would be confusing to prompt
    the person to approve a backend
    component.Centralized access control allows an
    organization to make policies about who can
    access what resources.

2
This second approach may not be as intuitive at
first, but its widely used. The idea is that the
client provides the claims in the HTTP Request to
the AS. The common case is that the client is
trusted. In some cases, the sent claims may be
encrypted, and the client may not in fact be
trusted. It really doesnt change the diagram.
This last approach is the easiest if the AS is
also the IDP it can grab the attributes from the
database. This may be common for smaller
deployments. Actually this is the way many older
Web access management platforms were designed.
Write a Comment
User Comments (0)
About PowerShow.com