Monday, July 25, 2005

Interesting post at sforce

Benji at had an interesting post today on the sforce blog. Here's the juicy part:

How do the clients, which all use web services to authenticate (using login and password today calling our login call), know where to get the SAML token from, in a standard way? There is no standard way to do this today, and even standards like WS-Trust don't seem to solve this problem. For example, you build a client using our web services apis. You deploy to all our customers. Customer A has one SAML provider. Customer B has another SAML provider. How does your code know where to go to get the token when deployed at customer A and at customer B, without configuring all of the clients with the location of the SAML provider?

Benji raises some excellent points here...he's effectively pointing out the issue of discovering a security token service. What makes this complicated is the security token service in many of Sxip's customers is on a private network, and customers don't wish to expose the url to the general public. An anonymous discovery service either can't personalize the response to either customer a or b, or you end up exposing sts endpoint locations inside customer a or b.

Anyone have any ideas on this tricky problem?

Sunday, July 10, 2005