[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [saml-dev] Baltimore/RSA/Netegrity/Entegrity + Sigaba
Hi East Coast folks, Like we mentioned on the Tuesday call, Sigaba is trying to demo a flow that's a little unusual. So if you want our content site to be able to interoperate with your assertion producer, we may need to coordinate a little bit. Everyone on the West Coast dry run was graciously able to do this, which we really appreciate. Here's the details if you East Coast guys want to support us: High Level ----------- Sigaba's content provider site is an "email decryptor". The user receives an encrypted email with the ciphertext inside an HTML attachment. The user can open the attachment and click on a button to POST the ciphertext to the email decryptor site. This site will then redirect the user to a site where he authenticates and is then redirected back to the decryptor site, and at this point the decryptor site knows who the user is, and if he is authorized to read the mail the decryptor site will decrypt the ciphertext and display the results. Demo ----- At Catalyst, this can be demonstrated as follows: there can be a button on your content provider site that says "Send Confirmation Email", or somesuch. You can wire this button to send an email to an SMTP server we will have onsite: SMTP = mail.sigaba.com TO = joe@yahoo.com (or ravi@hotmail.com, or alice@excite.com) FROM = <anyone>@<authenticatingCompany>.com SUBJECT = <something the user can remember> CONTENT = <Plaintext or HTML, whichever you want> We will use <authenticatingCompany> to determine which site to have the user authenticate at. If you're sending the email and have an assertion producer, this should probably be your own. Anyways, once the email is sent, the user can wander over to our setup, where the email will have been received into an email client. The user can then open his mail (hopefully the subject line will be memorable so the user can pick out which mail is his, from the many we're receiving!), and authenticate and decrypt it. Sending email from JSPs or Java (see SMTPBean.java): http://www.jspinsider.com/beans/beans/email/BeanMailer/index.html A simpler approach to sending mail from JSPs: http://www.jguru.com/faq/view.jsp?EID=1163 Technical ---------- Our communications with the assertion producer is unusual, since the user starts at the content-producer site and returns to it, and since we must pass a session identifier to the assertion producer and then receive it back, so when the user is redirected back to our site, we know which of the pending messages he is trying to decrypt. We solve this by redirecting to the inter-site-transfer-service directly, and passing "TARGET=https://receiver.sigaba.com/application/sD89Kls19djsklkEIqb3/", where the garbage at the end is a B64-encoded session identifier. For this to work out-of-the-box: - Your transfer service must be able to prompt the user for credentials and authenticate him - Your transfer service must be able to determine which receiver site to redirect to based on a TARGET= string of the above format - Your transfer service must pass the TARGET string through unchanged If these are not the case then we'll need to negotiate something. We can pass an extra parameter to the transfer service to tell it which receiver to redirect to, or pass our session identifier as a separate query string, or whatever. Let me know what your setup is and what works best for you and we'll work something out. Thanks, Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC