AA should have an option for customers to choose to completely eliminate the mandatory Endpoint trust relationship mechanism built into AA thick clients (Win/Mac/Linux). This feature provides little in the way of additional trust/assurance, but absolutely causes the highest amount of ongoing support tickets whenever the client or the server loose track of a particular trust relationship. AA should allow informed decisions by customers to turn off this fragile subsystem entirely, and stop creating Endpoint objects and clients stop generating unique ID/secret strings like that are inserted into the AA Windows Client config.properties today. Most enterprise customers will already have their Windows computers and likely Mac/Linux endpoints joined to their Active Directory domain (we certainly do for all of them), so the only device trust that truly matters would only ever be leveraged from that anyway, not AA’s extra complexity of Endpoint trust. And today, I can already interact in other ways with AA authentication capability from methods that don’t care a single whit about an Endpoint trust, such as a browser based authentication to the Admin portal, or Authenticators Management portal or even the OSP (SAML/OAuth) service – none of those care if the endpoint I am using to authenticate to them happens to have an AA trust relationship – it’s irrelevant to them – so why make my AA thick client logon screens have this fragile trust relationship? Allow us to turn it off completely!
by: brian r. | over a year ago | Configuration
Comments
This is being investigated.