I'm trying to help a customer decide whether to implement SQL or stay with WID. I'm leaning towards WID based on the simplicity of setup and the fact that they are unlikely to need the scale that SQL provides. There are just two "benefits" of SQL that I'm unsure about: token replay detection and SAML artefact resolution.
Token replay detectionFrom what I understand, this is a security feature that comes into play only when the application (relying party) does not cleanly implement a logout that destroys the token. The token replay detection is essentially the ambulance at the bottom of the cliff and should not be necessary if the applications are developed properly. One mitigation when using WID would be to mandate clean logouts as part of the acceptance criteria for new relying parties.
SAML artefact resolutionThe documentation on this seems to be quite thin, but it seems as if this feature leverages a back channel between the claims provider and the service provider to a) reduce the traffic to/from the browser and b) improve security by preventing modification of SAML content via the browser. The questions I have on this are:
1. Are there many applications out there that mandate the use of artefact resolution? 2. Are there any examples where AD as the claims provider is used as part of artefact resolution?
Anyone out there have some real-world insights to share?
ADFS SQL vs WID
- 222 Views
- Last Post 21 December 2015