Cloud-based IAM is, to be honest, in most cases limited to Cloud-based authentication, which means to use the authentication of a customer or partner organization. A consequence thereof is that the authorization management architecture must be changed, since one can no longer assume that users will be present in the systems of the service provider (or in a specific identity provider) to manage authorizations upfront, e.g. by using role models or other (relatively) static information.
Especially in the last years, the externalization of identities from the applications - a healthy but also necessary step - has led to assembling all sorts of attributes of the user, encoding in some way or the other the authorizations/roles that this person has in the different to-be-used target systems, at the Identity Provider. But this approach, though widespread, has a number of disadvantages, especially in cross-organizational scenarios unless the challenge of dealing with distributed sources for authorization information at run-time has been solved.
This presentation describes an architectural approach to use claims-based authorization assertions for web-based applications in conjunction with SAML authentication delegated to an Identity Provider, where the authorization information is neither stored with the application, nor with the Identity Provider.
