[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [saml-dev] Design question using SAML
Dear all, I hope my question(s) will be in the scope of this mailing list. I am new to SAML, I have read the documents available on the OASIS website regarding SAML, and I would like to make sure that my understanding of SAML is correct, in order to make a good implementation in our project. Basically, our project involves a central server, that receives requests from different clients, and that is in charge of validating the requests (i.e. giving authorization or not); authorized requests are then sent to request processors, that might need to get information about the originator of the request. In this design, a client will authenticate with the central server. I understood that SAML does not provide authentication mechanisms, only a way to assert that a subject has been authenticated by one mean or another. Is this correct? If yes, the central server must include a 'Access Manager', that performs the authentication, and generates a SAML assertion, containing one authentication statement and one ore more attribute statement(s). What happens with this assertion? Is it forwarded to the client, so that it includes it with every request? Or is it stored in a 'Assertion Repository', and only a reference to it is returned to the client? Now that the client has an Assertion stating who he is, he is now allowed to send a request, with the received assertion (or assertion reference) to the central server, more precisely to the Access Manager. In order to perform correct authorization, what should be its next steps? Should the Access Manager (AM) trust the assertion? If it does not trust it, how could it validate it? When AM is sure about the assertion's validity, should it ask an Policy Decision Point that would decide, based on the requestor's attributes present in the assertion, and on its own policy database, whether or not the action should be allowed? In this case, AM would send a SAML query to PDP that would reply with a SAML response, containing a Authorization Decision Statement. If the action is authorized, the request is finally sent to one or more request processors. If such processors wants to validate the assertion received, where should it check? Thanks a lot for your help Jean-Noel Colin
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC