The problem with Policy Agents + SAML and Access Manager using SimpleSAMLphp

Policy Agents are good and bad when it comes to Access Managers and Identity Management. The good:

  • The clients tend not to have to add all this authentication code to their application

And the bad:

  • The clients tend to have to install a Policy Agent on their infrastructure.

This part can be a problem. Policy Agents do not support all platforms, and of the ones they do support, I’ve found their implementation of features to be of a … variable quality.

So we’ve got clients who use flavours of linux with flavours of web servers, including ones which may never be supported. So what do we do?

Well we’re piloting building a machine with simpleSAMLphp as an IDP, and then protecting that machine with a Policy Agent. Then at the other end, any web server that runs PHP can run simpleSAMLphp as a SP.

So when someone accesses the SP, they click the link to login, an assertion is sent to the IDP, the policy agent intercepts this request and forces the user to authenticate against the Access Manager, then injects the user’s information back into the request, which the IDP inserts back into the SAML assertion which the SP receives.

This loose coupling of OpenSSO + simpleSAMLphp is talked more about at Sun’s website.

Free Sun Access Manager training

If you’re deploying the Sun Identity Management suite in a complex deployment, then check out Sun’s Free OpenSSO training. This training gives you a workbook and a virtual machine, and walks you through the process of:

  1. Setting up Apache Tomcat 6
  2. Enabling HTTPS support on Tomcat
  3. Setting up Sun Java Web Server 7 as a load balancer
  4. Deploying OpenSSO to Tomcat
  5. Setting up Session failover
  6. Setting up Sun Java Web Server 7 and Glassfish
  7. Installing Sun Access Manager Policy Agents to protect the above web servers

It’s a complex workbook (and there are a few issues, both with the workbook and the technology), but it’s free training, and gives you a glance of what to expect from Sun Access Manager 8.0.