Tuesday, August 07, 2007
Single Sign-On, SAML, and Authentication in Documentum
While I am a fresher when it comes to ECM, I can surely say that I have learned a lot from Laurence Hart. Most recently, he blogged on the notion of Single Signon, SAML and Authentication in Documentum of which I think has been useful but needs further analysis...
| | View blog reactions- James’ most important statement is this, Security, in order to be done correctly requires server APIs which run in the address space of Documentum itself. He is correct. All Documentum sessions are created at the server.
- Though I wouldn’t attempt implementing SAML until D6 to leverage the more advanced capabilities of DFS, I could create a Web Application, or customize the authentication in an existing Documentum Web Application to work with SAML.
- A more secure, and thus more involved, manner would be passing the processing of the SAML request to the server from the Web Application. This would require a modification to the current authentication process, quite similar to how SSO is implemented in Documentum.
- Bex has been railing against SAML and has made some very good points. The biggest is that SAML is not really needed within an Enterprise that uses one single authentication source, like Active Directory. If all your users come from the same LDAP source, you can use a SSO product to leverage the users initial authentication and not worry about SAML.
- Documentum provides integration with the SiteMinder SSO product. Other SSO products can be integrated as well differing degrees of effort.
- When external partners need to access multiple systems within your architecture, SAML becomes a necessity. Before that, it becomes a matter of convenience. If SAML is supported out of the box, it can make life easier
- Translation, I don’t expect vendors to support SAML until multiple, loud, customers make it a requirement. They’ll point to their integration with SSO products for this requirement.