adamdn01 wrote:

>
> Hello all,
>
> I'm still fairly new to AM, and have a question. I'm just curious to
> know what the best practice is for an AM protected application to
> trust authentication via AM.
>
> For example, if that application was accessible outside of Access
> Manager (if the person happened to know the URL), what is the most
> secure way to tell the application not to allow someone in unless
> Access Manager authenticated them. I know you can pass headers, but
> those can be forged. You can also pass credentials, but lets say the
> app is not doing authentication.


Source IP address? Inject a SAML assertion in a header? A SAML
assertion is signed and someone would need to obtain the private key in
order to sign it.

--
Cheers,
Edward