adamdn01 wrote:

> Hello all,
> I'm still fairly new to AM, and have a question. I'm just curious to
> know what the best practice is for an AM protected application to
> trust authentication via AM.
> For example, if that application was accessible outside of Access
> Manager (if the person happened to know the URL), what is the most
> secure way to tell the application not to allow someone in unless
> Access Manager authenticated them. I know you can pass headers, but
> those can be forged. You can also pass credentials, but lets say the
> app is not doing authentication.

Source IP address? Inject a SAML assertion in a header? A SAML
assertion is signed and someone would need to obtain the private key in
order to sign it.