Evaluating Benefits and Tradeoffs

As you design your deployment architecture, be sure to consider the benefits, tradeoffs. The following lists may help you determine if the Fedlet is appropriate to meet your business needs.

Benefits

• The Fedlet does not require additional hardware, thus reducing the cost to the Service Provider and increasing the return on investment on existing hardware.

• The Fedlet is easy to deploy and to embed into the Service Provider application. Configuration on the Fedlet, if needed at all, requires modifying only three to four parameters. This enables you to go live with the application much more quickly than deploying a full-featured federation solution.

• The Fedlet enables the Service Provider to quickly enable federation into their applications, resulting in shorter time-to-market for their applications with the Identity Provider.

• The Fedlet does not require the Service Provider to install any full-featured federation software. This reduces the amount of training required, thus reducing training costs for the Service Provider.

• The Fedlet is ideal for a Service Provider that wants only to achieve single sign-on with an Identity Provider, and to be able to retrieve user attributes from the Identity Provider.

• The Fedlet is compliant with SAMLv2 standards.

• A single instance of the Fedlet can be set up to work with more than one Identity Provider.

• The Fedlet can be configured to use an Identity Provider Discovery Service to set and find the user's preferred Identity Provider.

Tradeoffs

• The Fedlet will not perform session management on the Service Provider. The application or container must perform session management.

• The Fedlet supports single sign-on using the SAMLv2 protocol only. Other federation protocols such as Liberty ID-FF, WS-Federation, and SAML 1.x, are not supported.

• The Fedlet solution enables only single sign-on with an IDP and retrieval of user attributes. Advanced features, typically available in a full-featured federation product such as OpenSSO Enterprise, are not available in the Fedlet:

  • IDP Proxying

  • Single Logout

  • Auto Federation

  • Account Linking Auto-creation of users on the SP

  • Declarative policy integration with roles asserted from the IDP