OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: new to OpenSAML

Hi Francois,

There are 2 parts to your question. First part is answered by SAML
Assertions and Protocol document and the second part is answered
partly across the Overview as well as some other documents. However, I
will try to address briefly but recommed that you read the documents
mentioned above.

Browser/Artifact profile uses HTTP for transferring "artifact"
information from SAML  Authority or Responder to the Requestor. This
artifact is then sent back by the Requestor to dereference the
assertion from the Responder, this way helping both the requestor and
the responder to be on the same page for a single instance of
authentication.

Ex. www.abc.com is a SAML Authority capable of providing SAML
Authentication Assertions to other SAML Requestor ,  www.xyz.com in
our example. Now as a start of the authentication process www.xyz.com
will send a SAML Authentication Request to www.abc.com asking
www.abc.com to vouch for then authenticity of the subject in the
request.

www.abc.com will authenticate the user. If authentication succeeds,
www.abc.com will create an SAML AuthenticationResponse  ( in
corrrelation to SAML Request sent by www.xyz.com, see document for
details ) containing SAML Authnetication Assertions. In addition to
this, www.abc.com will also create an "artifact" that references this
AuthenticationResponse and will send this "artifact" to www.xyz.com
using a Browser/POST ( reason why called Browser Artifact profile ).

www.xyz.com upon receiving the artifact can dissect it to validate the
identity of the sender. It can then send back this artifact in a SOAP
AuthnenticationRequest message to get the SOAP AuthenticationResponse
message containing the actual assertion(s) towards the authentication
request made by www.xyz.com.

The artifact used is a one-time artifact ( see documents for details
regd. artifcat format) to prevent replay attacks as you mentioned.
Digital Signarture is used for ensuring confidentiality of the
Request/Response being tranferred over SOAP/HTTP binding. Yes, the
developers of such an architecture are anticipated to have knowledge
of XML / PKI and other related technologies. That, however is an
implementation issue and can be considered out of scope for SAML
Specifications.

-- Prasad.
____________________________________

Who ate my software ?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]