Sxip covers certain security scenarios well.
- There is a user who has been authenticated inside MyCompany's corporate domain who wishes to access a web site hosted elsewhere on the Internet without any more challenges. Authentication at the remote web site unfolds silently against the Corporate Directory by way of Sxip. Authorization at the remote web site might be based on user attributes stored in the Company Directory and passed by SAML. This is the local user/centralized authorization/remote web site scenario with a single sign-on solution.
- There is a user that belongs to MyCompany who is remote and wants to access a remote web site. Authorization decisions are based on user attributes maintained by the remote web site (e.g. roles). The user logs in with a username specific to the application and the password from her Windows account. This is not single sign-on in fact because at a second remote web site the user is required to log in again. In this scenario the authorization decision point is the remote web site, not the Corporate Directory. This is the remote user/decentralized authorization/remote web site scenario with a single password solution.
| User Location | User Affiliation | Identity Store | Access Policy Store | App Location | Solution |
| Local | MyCompany | Corporate Directory | Corporate Directory | Internet | Single sign-on with SAML aka Token Authentication (Sxip Access for ASPs) |
| Remote | MyCompany | Mixed Mode | ASP Store | Internet | Single sign-on with Corporate Password aka Delegated Authentication (Sxip Access for ASPs) |
Note that "Mixed Mode" is a situation where authentication goes against the ASP store with username, the Corporate Directory with the password and only succeeds if the username in the Corporate Directory and the ASP store can be harmonized.
In the grid User Affiliation can also take OtherCompany. Also in the grid the App Location can be an Extranet.
Stay tuned. There is definitely more to come.
No comments:
Post a Comment