I just finished configuring Oracle Access Manager (OAM) for Common Access Card (CAC) authentication integrated with Axway’s Server Validator (SV)Plugin ( I will blog about this in another post ) for certificate validation. While discussing this with another engineer on the project he mentioned that this really opened the door for tightly integrating with a lot of their existing partners. I said that while this is great I would prefer to federate with these partners and not have to deal with managing the extra infrastructure components as well has having to manage several trusted certificates provided by the partners (with intermediate certificates there were about 6 just for this partner alone … I am trying to picture how that scales for each new partner). I freely admit that I am biased towards Federation. I am totally sold-out on the benefits of having the Identity Provider (IdP) take care of credentialing and authentication and the Service Provider (SP) can focus on the applications. His point in preferring to authenticate locally with CAC (vs via Federation) was that by doing so we somehow offer a better user experience. I think you can also make the argument that a particular, potential IdP maybe not have Federation capabilities (this won’t always be the case IMO). Do you think that you can achieve the same Level of Assurance (LoA) by using Federation instead of authenticating at the SP? (SAML, OpenID or OpenID Connect)
I’d like to crowd-source this discussion and see if we can put together some good arguments for/against either side. Please RT and comment if you have thoughts/opinions on this.