walterking
commented
8 years ago Honestly, we didnt know what saml was when we built it, and still find the iam docs confusing on what mechanism is best. It was also brought up here: https://github.com/AdRoll/hologram/issues/39.
We have a saml server now, shibboleth, and could see using that, though I've found it a difficult piece of software to use and configure. One of the hold backs on merging the role support ticket was I wanted to make sure we could unify that with how saml worked so you get the same role from either system. We would still need an authentication mechanism - client ssl seems like the obvious one, since we don't want to have to type a password in every time and i think its already supported.
But on the other hand, simple is good, and provides a redundant mechanism for logging in.
copumpkin
Krylon360
It seems like the hologram server is playing the part of a simplified SAML identity provider, and the client could be taking SAML assertions from such a provider and calling
AssumeRoleWithSAMLdirectly.I'm wondering if the AdRoll team considered using that approach and what the downsides might be.