OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [saml-dev] RE: Is a separate "ArtifactReceiver" required?


Jahan,

I would support adding a minimal extension
that supports flow from destination to source site. My
question is whether it needs to be anything more than:
(taken from
http://lists.oasis-open.org/archives/security-services/200212/msg00001.html)

------------------------------------------------
(1) User accesses resource at destination site 

No normative requirements here

(2) User is re-directed to an assertion creation URL at source site

   <HTTP-Version> 302 <Reason Phrase>
   <other headers>
   Location: http://assertion_creation_URL?..TARGET=xxxx...
   etc.

(3) Assertion creation URL interacts with user if no user session available
or whatever

No normative requirements here.

(4) User is re-directed back to the destination site in the usual way
 
Follow Step 2 from existing profiles (4.1.1.4 or 4.1.2.4)


[Often the assertion creation URL and the inter-site transfer URL are
identical but it may aid the specification to separate the concepts]








>>-----Original Message-----
>>From: Jahan Moreh [mailto:jmoreh@sigaba.com]
>>Sent: Friday, December 06, 2002 7:09 PM
>>To: Scott Cantor; saml-dev@lists.oasis-open.org;
>>security-services@lists.oasis-open.org
>>Subject: RE: [saml-dev] RE: Is a separate "ArtifactReceiver" required?
>>
>>
>>Scott -
>>You characterization is accurate. Indeed, at the interop we 
>>were creating
>>the "shire" URL based on the TARGET. If we had a specific agreed-upon
>>parameter (like Shib's shire), we would not have to make individual
>>agreements with each interop vendor.
>>
>>Like you, we advocate supporting this kind of flow in SAML 1.1.
>>
>>Thanks,
>>Jahan
>>
>>----------------
>>Jahan Moreh
>>Chief Security Architect
>>310.286.3070
>>
>>> -----Original Message-----
>>> From: Scott Cantor [mailto:cantor.2@osu.edu]
>>> Sent: Friday, December 06, 2002 3:16 PM
>>> To: saml-dev@lists.oasis-open.org;
>>> security-services@lists.oasis-open.org
>>> Subject: [saml-dev] RE: Is a separate "ArtifactReceiver" required?
>>>
>>>
>>> FWIW:
>>>
>>> The Shibboleth flow uses two parameters, one called "target" and one
>>> called "shire".
>>>
>>> The shire parameter is the acceptance point at the target 
>>site which the
>>> source site would send the user back to once finished with local
>>> authentication.
>>>
>>> The target is the place the user wanted to go before being so rudely
>>> interrupted.
>>>
>>> It sounds like the Catalyst implementers were using the 
>>target to figure
>>> out what the shire-equivalent URL should be, and then were 
>>sending the
>>> user there without any further indication of where the user 
>>would then
>>> be sent. That obviously won't work as a general mechanism for
>>> "target-first" access.
>>>
>>> The POST profile specifically calls out the TARGET form 
>>element as being
>>> not the place where the assertion is posted but instead the 
>>resource the
>>> user should be sent to afterwards. This is consistent with 
>>Shib's usage
>>> (we copy the incoming target back out into the form verbatim).
>>>
>>> Also FWIW, we know of lots of important or useful 
>>extensions that we'd
>>> like to have available to provide more control, but have 
>>deferred that
>>> until we can approach it with some formalism, whether we 
>>adopt Liberty's
>>> approach, or perhaps contribute something to a SAML 1.1 
>>discussion (my
>>> preference at the moment).
>>>
>>> -- Scott
>>>
>>>
>>> ----------------------------------------------------------------
>>> To subscribe or unsubscribe from this elist use the subscription
>>> manager: <http://lists.oasis-open.org/ob/adm.pl>
>>>
>>
>>----------------------------------------------------------------
>>To subscribe or unsubscribe from this elist use the subscription
>>manager: <http://lists.oasis-open.org/ob/adm.pl>
>>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC