OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [saml-dev] Baltimore/RSA/Netegrity/Entegrity + Sigaba




Hi East Coast folks,

Like we mentioned on the Tuesday call, Sigaba is trying to demo a flow
that's a little unusual.  So if you want our content site to be able to
interoperate with your assertion producer, we may need to coordinate a
little bit.  Everyone on the West Coast dry run was graciously able to do
this, which we really appreciate.  Here's the details if you East Coast guys
want to support us:


High Level
-----------
Sigaba's content provider site is an "email decryptor".  The user receives
an encrypted email with the ciphertext inside an HTML attachment.  The user
can open the attachment and click on a button to POST the ciphertext to the
email decryptor site.  This site will then redirect the user to a site where
he authenticates and is then redirected back to the decryptor site, and at
this point the decryptor site knows who the user is, and if he is authorized
to read the mail the decryptor site will decrypt the ciphertext and display
the results.


Demo
-----
At Catalyst, this can be demonstrated as follows: there can be a button on
your content provider site that says "Send Confirmation Email", or somesuch.
You can wire this button to send an email to an SMTP server we will have
onsite:
SMTP = mail.sigaba.com
TO = joe@yahoo.com (or ravi@hotmail.com, or alice@excite.com)
FROM = <anyone>@<authenticatingCompany>.com
SUBJECT = <something the user can remember> 
CONTENT = <Plaintext or HTML, whichever you want>

We will use <authenticatingCompany> to determine which site to have the user
authenticate at.  If you're sending the email and have an assertion
producer, this should probably be your own.

Anyways, once the email is sent, the user can wander over to our setup,
where the email will have been received into an email client.  The user can
then open his mail (hopefully the subject line will be memorable so the user
can pick out which mail is his, from the many we're receiving!), and
authenticate and decrypt it.

Sending email from JSPs or Java (see SMTPBean.java):
http://www.jspinsider.com/beans/beans/email/BeanMailer/index.html

A simpler approach to sending mail from JSPs:
http://www.jguru.com/faq/view.jsp?EID=1163


Technical
----------
Our communications with the assertion producer is unusual, since the user
starts at the content-producer site and returns to it, and since we must
pass a session identifier to the assertion producer and then receive it
back, so when the user is redirected back to our site, we know which of the
pending messages he is trying to decrypt.

We solve this by redirecting to the inter-site-transfer-service directly,
and passing
"TARGET=https://receiver.sigaba.com/application/sD89Kls19djsklkEIqb3/";,
where the garbage at the end is a B64-encoded session identifier.  For this
to work out-of-the-box:
 - Your transfer service must be able to prompt the user for credentials and
authenticate him
 - Your transfer service must be able to determine which receiver site to
redirect to based on a TARGET= string of the above format
 - Your transfer service must pass the TARGET string through unchanged

If these are not the case then we'll need to negotiate something.  We can
pass an extra parameter to the transfer service to tell it which receiver to
redirect to, or pass our session identifier as a separate query string, or
whatever.  Let me know what your setup is and what works best for you and
we'll work something out.

Thanks,
Trevor


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC