IDPros / bok

This is a public comment environment for the IDPro body of knowledge.
70 stars 26 forks source link

Cloud Service Authenticates Via Delegation – SAML Article Review #110

Closed ericonidentity closed 2 years ago

ericonidentity commented 2 years ago

Cloud Service Authenticates Via Delegation – SAML https://bok.idpro.org/article/id/79/

Is the topic still relevant? Yes, SAML is extensively in use Is the information still accurate? Yes Is the information complete? Yes

General comments

Considering that SAML is not specific to cloud services, and the method discussed in the article is not specific to cloud services (a LOB application could be federated with an on-premises identity provider), should the title of the article be updated, unless the intention of the article was to describe the authentication method from the perspective of the IDP as an IDaaS platform. Also as noted in another issue, the delegation term can seem somewhat confusing in the title as there is no reference in the content.

The Components section indicates Trust Anchor, however, all other trust references are to Trust Root. Should language be aligned here?

There are also some other paths taken with certain cloud IDaaS platforms, such as historically ignoring request signing, not sure if this should be somehow highlighted in the alternative paths, even though conversely don't want to just pile on all the various options if reality is that "happy path" = most secure path (as some may argue lack of request signing verification and relying on other aspects for authenticity check are not strong enough)

Line 76: "an RP" should this be "a RP"

Aside from these few small things the article stands up quite well.

cronical commented 2 years ago

Great comments @msfthiker . I'm struggling a bit with what a better title would be. I can see that Cloud Services could be a misleading title.

What do you think of

Browser uses web-based application which delegates authentication

?

cronical commented 2 years ago

Moving title to new issue.