Bridging the SAML and OAuth 2.0 frameworks is a well understood problem. The following stack of IETF specs provides a standard solution:
If you look at the core OAuth 2.0 spec (RFC 6749) and its token endpoint definition - this is basically an OAuth server endpoint which returns an access token in exchange for a "grant" -- an open-ended concept of something deemed appropriate to grant the client app the issue of an access token. In the typical OAuth scenario this is an authorisation code signifying that the user has been previously authenticated and given their consent. But the grant could also be something else.
There is a further IETF spec called draft-ietf-oauth-assertions-16 that builds on the core RFC 6749 standard which says that the grant can also be an assertion (a signed proof of something) and defines the necessary token request parameters for that.
Finally, there is draft-ietf-oauth-saml2-bearer-20, which specifies how this assertion can be a SAML 2.0 Bearer Assertion.
This standard mechanism for converting a SAML assertion into an OAuth 2.0 access token is essentially all that is needed to bridge the two frameworks.
To ensure removal of users is properly reflected by the authorisation systems there are two approaches, which can be combined:
Make the OAuth 2.0 access tokens short lived. This will force the client to repeat the authorisation process when the token expires, and if the user no longer exists authentication will fail and no grant (SAML assertion) will be issued.
Provide an API for revoking issued OAuth 2.0 access tokens, see RFC 7009 for details.
Group items tagged
JAAS Reference Guide - 0 views
JSSE Reference Guide for the JDK 5.0 - 0 views
Enterprise Git Repository Management | Atlassian - 1 views
-
"On-premises source code management for Git that's secure, fast, and enterprise grade. Create and manage repositories, set up fine-grained permissions, and collaborate on code - all with the flexibility of your servers."
Joyent Triton™ - 0 views
-
"Joyent Triton™ is designed from the ground up to radically simplify container deployments in production, at scale, while delivering enterprise-grade security, software-defined networking, and bare-metal performance. Deploy Triton Elastic Container Infrastructure in your datacenter or leverage the Triton Elastic Container Infrastructure Service in the Joyent Public Cloud."
AWS | Amazon EC2 Container Service | Container Management - 0 views
-
"Amazon EC2 Container Service (ECS) is a highly scalable, high performance container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon EC2 instances. Amazon ECS eliminates the need for you to install, operate, and scale your own cluster management infrastructure. With simple API calls, you can launch and stop container-enabled applications, query the complete state of your cluster, and access many familiar features like security groups, Elastic Load Balancing, EBS volumes, and IAM roles. You can use Amazon ECS to schedule the placement of containers across your cluster based on your resource needs and availability requirements. You can also integrate your own scheduler or third-party schedulers to meet business or application specific requirements."
Documentation | Pusher - 0 views
-
"Pusher is a simple hosted API for quickly, easily and securely integrating realtime bi-directional functionality via WebSockets to web and mobile apps, or any other Internet connected device."
authorization - SAML2 vs. OAuth - What are some reasonable relationships? - Information... - 0 views
-
Es un problemón conocido y con blancos sin estandarizar el juntar SAML 2.0 en cuanto a AuhN y Oauth2 para autorización. Éste post es el mas sintético que encontré con un agregado de valor muy alto: Deja entrever que aunque no sea estándar, el mecanismo es posible, y se basa en convertir una aserción SAML2 en un token de acceso OAuth2. uno puede transliterar ésta propocisión así: "convertir una aserción CLAVE FISCAL en un token de acceso OAuth2". La pregunta es: ¿Que será una aserción CLAVE FISCAL?
Core Blog - 1 views
-
Que tul? Announcing CoreOS Enterprise Registry, a secure Docker registry behind your firewall October 30, 2014 · By Joey Schorr
Stackato: The Platform for the Agile Enterprise - 0 views
-
"Stackato is a secure, stable, and commercially supported Platform-as-a-Service (PaaS) that is built with and on top of various open source components such as Cloud Foundry and Docker."
VirtualBoxes - Free VirtualBox® Images | Ready-to-use virtual machines sporti... - 0 views
-
"Welcome to the VirtualBox® Images project website. This project provides virtual machines for Sun XVM VirtualBox® sporting several free and/or open-source operating systems, such as GNU/Linux or Free/Net/OpenBSD for testing, security and/or entertainment purposes."
Docker private registry authentication - OpenDNS Engineering - 3 views
-
Security is part of everyday life. We lock our doors, protect our banking information with passwords that are usually so complicated that we tend to forget them. Using common sense to secure systems is just good practice. It's really easy to assume that because a system is internal, there is no need to enable authentication ...
Tsuru - 0 views
-
"Tsuru is an extensible and open source Platform as a Service software. Deploy Fast and secure. The entire process is really simple with no special tools needed, just a simple git push. Scale Scaling in Tsuru is completely painless. Just add a unit and Tsuru will take care of everything else. Extend Tsuru is built to be extensible. Through services you can provide anything your application needs."
Generate Mozilla Security Recommended Web Server Configuration Files - 1 views
-
Generador de configuraciones de conectores ssl de apache, nginx, haproxy optimizadas por versión del servidor, antiguedad de clientes a soportar, etc. Muy bueno.
Changes in Password Best Practices - Schneier on Security - 0 views
-
"NIST recently published its four-volume SP800-63b Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords: Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise. Let people use password managers. This is how we deal with all the passwords we need."
Kubernetes: Kubernetes 1.10: Stabilizing Storage, Security, and Networking - 0 views
Libpuzzle - A library to find similar pictures - 0 views
-
"The Puzzle library is designed to quickly find visually similar images (GIF, PNG, JPG), even if they have been resized, recompressed, recolored or slightly modified. The library is free, lightweight yet very fast, configurable, easy to use and it has been designed with security in mind."
WireGuard: fast, modern, secure VPN tunnel - 0 views
-
"WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN."
Crypto-Gram: October 15, 2017 - Schneier on Security - 0 views
-
NIST recently published its four-volume SP800-63-3 Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords: * Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases. * Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise. * Let people use password managers. This is how we deal with all the passwords we need.
-
Para tener en cuenta.
-
‹ Previous
21 - 40 of 80
Next ›
Last »
Showing 20▼ items per page