Information Technology Reference
In-Depth Information
Limits to the Two-Layer Protocol Architecture
At first glance, we seem to have managed to preserve our model (i.e., the
Two-Layer Protocol Architecture) even when faced with a requirement to
support federated identity. The developers of the CASShib Gateway certainly
have the right architectural idea.
However, the
implementation
of CASShib lacks maturity at the time of
writing. The product and architecture have not been security-certified. More
worryingly for its prospects, it has not gathered the critical mass of
development activity required for a successful Open Source project, and its
development has languished. Therefore we don't believe we can avoid the
complexity of a full-fledged Service Provider infrastructure at each business
application node where federated identity is to be supported.
A more realistic implementation of federated identity may look like the
following diagram. The same application, when accessed by locally-
provisioned users as well as by users not locally provisioned, would need to
be exposed as two separate domain names (URLs) and protected through
two different mechanisms. This model is more complex at each application
node, but it has its own overall symmetry when you gaze at it for a while.
