Title: Where do you get those pesky user claims ?
1Where do you get those pesky user
claims?
- Gluu is using this approach where SAML is
required for authentication, but UMA is required
for Web access management. This implies that the
UMA Authorization Server, acting as the policy
decision point (PDP), knows information about
the person. For example, role (admin, manager,
etc) and group membership are frequently used by
organizations for entitlements management. As is
frequently the case, getting user claims is
easier said than done. There are a few
approaches. -
- In the first, the AS is just like any other
backend OpenID Connect application. To get user
claims, it needs to register as an OpenID Connect
client at the persons home OP and request an
access token to retrieve the id_token. In OX,
there is a feature to Pre-authorize a specific
client. This may be an appropriate strategy if
you dont want to prompt the user to authorize
the request by the AS. The use case is similar to
a portal, where it would be confusing to prompt
the person to approve a backend
component.Centralized access control allows an
organization to make policies about who can
access what resources.
2This second approach may not be as intuitive at
first, but its widely used. The idea is that the
client provides the claims in the HTTP Request to
the AS. The common case is that the client is
trusted. In some cases, the sent claims may be
encrypted, and the client may not in fact be
trusted. It really doesnt change the diagram.
This last approach is the easiest if the AS is
also the IDP it can grab the attributes from the
database. This may be common for smaller
deployments. Actually this is the way many older
Web access management platforms were designed.