The problem with Policy Agents + SAML and Access Manager using SimpleSAMLphp

Policy Agents are good and bad when it comes to Access Managers and Identity Management. The good:

  • The clients tend not to have to add all this authentication code to their application

And the bad:

  • The clients tend to have to install a Policy Agent on their infrastructure.

This part can be a problem. Policy Agents do not support all platforms, and of the ones they do support, I’ve found their implementation of features to be of a … variable quality.

So we’ve got clients who use flavours of linux with flavours of web servers, including ones which may never be supported. So what do we do?

Well we’re piloting building a machine with simpleSAMLphp as an IDP, and then protecting that machine with a Policy Agent. Then at the other end, any web server that runs PHP can run simpleSAMLphp as a SP.

So when someone accesses the SP, they click the link to login, an assertion is sent to the IDP, the policy agent intercepts this request and forces the user to authenticate against the Access Manager, then injects the user’s information back into the request, which the IDP inserts back into the SAML assertion which the SP receives.

This loose coupling of OpenSSO + simpleSAMLphp is talked more about at Sun’s website.