Live Mesh authorization tickets are standard SAML tickets. They are digitally signed with the Live Mesh private key to prevent spoofing and they expire after a limited lifetime. Some tickets are used to just authenticate users or devices, other tickets contain authorization information about user/device rights. Cloud services inspect each resource request and authorize access only if it contains valid tickets (correctly signed and not expired) and these tickets specify that the requestor indeed has access to the requested resource. For example, a device X can initiate P2P data synchronization with device Y only if it presents a ticket that is correctly signed by Live Mesh and contains a record saying that both device X and Y are claimed by the same user OR if it contains a record saying that X and Y have the same Live Mesh Folder mapped on them (in the case that the devices are claimed by different users that are members of this Live Mesh Folder). Tickets are passed to the cloud services in the Authorization header using HTTPS to prevent replay attacks.
My quick scan of Kim's blog and the Mesh community forum didn't reveal any nuggets.
I think it would be pretty cool if a P2P file and data synchronization could use a SAML token for authorization. Interesting that there's been no fanfare about this. Maybe I missed it?
Technorati Tags:
SAML, Microsoft, MSFT, authorization, WS-*, Active Directory Federation Services
No comments:
Post a Comment