The STS is designed to plug into authentication mechanisms like Kerberos and OpenSAML that are atomic in nature. Once a user is authenticated, the STS handles tokens cleanly without having to worry about reauthentication to accomplish further transactions.
My engineer friend Kevin who has been studying the STS pointed out a glaring flaw in it when applied to how traditional web servers manage sessions using cookies. How will the STS and the InfoCard system handle session management when a cookie on the client side is responsible for that task? It seems that the only way for that to happen is for someone to create a set of APIs that will intermediate between cookies and STS. This is the approach Sxip has taken with Sxore, by the way.
For the Metasystem, taking the API approach defeats the ease of use of the STS because it requires web server administrators to take an extra step to connect to the Metasystem. It won't be as simple as dropping in an STS to play with InfoCards with their web application. This barrier to adoption could slow down implementation of the Metasystem significantly unless Microsoft has something up their sleeve to mitigate this problem. Let's hope they do.
Комментариев нет:
Отправить комментарий