[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [saml-dev] RE: Question about ConfirmationMethod in SSO
> In what instances are the <ConfirmationMethod> and > <SubjectConfirmationData> used? It would seem to me that it > would not be usable in a SSO environment, since the entire purpose of SSO > is to *not* pass that sort of information along. I'm assuming that > because of this, SAML can also be used as a local authentication protocol > as well? A spec I could use to log into a service with username and > password? Not currently. There is no provision in SAML 1.0 for pass-through authentication, or for asking an Authentication Authority to authenticate you. You can find some recent discussion on that on the main SAML list. Authentication Assertions are documenting past acts of authentication. And you are in fact correct, confirmation method is not really used in that fashion with the SSO profiles. In the POST case for example, (the one Shib uses) the method is set to a special "bearer" method URI that indicates that the bearer of the assertion should be accepted as the subject. That's because it's short-lived, and pushed through the browser. There is no real subsequent use of the field, and it's not there to handle some kind of disconnected state or anything like that. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC