Once in the browser, hackers can use the cookies present to start a new browser instance in the background, already logged into whatever sites the person is using. identity provider saml is like the castle portcullis. You want a strong gate, but its hard to prevent spies from slipping through.

1. The days are past when a single authorization point was sufficient for serious website
security. Modern man-in-the-middle attacks target the browser. Once in the browser,
hackers can use the cookies present to start a new browser instance in the background,
already logged into whatever sites the person is using. Identity provider saml is like the
castle portcullis. You want a strong gate, but it’s hard to prevent spies from slipping
through.

2. To limit the damage done by hackers, domains need to use a mulit-layered security
approach. So we lock the castle gates at night, but we still lock the armory. Post-authentication
authorization policies can be handy when a person transacts a high
value transaction, like transferring money, or changing a password. In these situations,
some websites today ensure that a man-in-the-middle is not underway by sending an
“out-of-band” verification, for example, an SMS message to the person’s phone. But it’s
not a great user experience.
Maybe the answer is big data? Companies like Prelert and Guardian Analytics can put
big data techniques to work to detect anomalies behind the scenes, and perhaps trigger
an out-of-band authentication or automatic account locking. It’s easier said than done–
sometimes hackers look like real people. However fancy the solution to detect the
intruder, one thing is clear: more locks are needed–not just outside the castle, but
inside.
Web Access Management, and policy management is all “well and good” if you’re a big
company. You have lots of money to secure your important applications. But what we’re
seeing now is the consumerization of access management. If my home is a bee hive of
smart devices, each with their own API’s, each device made by a different vendor, some
of the devices even hacked together from standard parts… how am I going to control all
that? What about my cloud resources like Twitter or Netflix? So there’s a lot of work in
front of us to secure both cloud and home resources. We need to start putting more
locks on things, and paying more attention to that has the keys.

3. Today, Internet security is a patchwork of solutions, where each Internet domain or host
has a different convention for authentication and authorization. Internet security is an
infrastructure challenge that can’t be solved by any one vendor or network provider.
Gluu has recently joined the Open Interconnect Consortium, which is an industry group
that is trying to pool their resources to solve a common challenge with open standards
and free open source software.
There is a lot to be learned from Web standardization efforts for authentication. To
continue with the castle analogy, the development of open Web standards for Shibboleth
idp OpenID Connect, provided important developer feedback about what kind of doors
are preferred. It may be a strange way to phrase it, but it’s now clear that the doors
should be JSON-REST! The only JSON-REST doors for authorization are made out of
“UMA” the User Managed Access Protocol. UMA is a profile of OAuth2 that defines a
policy enforcement point and policy decision point architecture that enables a person or
organization to centrally control access to their stuff.
Article resource:-https://www.smore.com/j2cq8-authorization-is-the-new