[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Re: new to OpenSAML
> I guess there is a step (step 6 in the digram) where the replying > party has to send a SOAP/SAML Request to the SAML Authority i.e > AuthenticationQuery. The corresponding SAML Response can then contain > either Assertion with SAMLStatus=Success or just a SAMLStatus with an > appropriate message ( as in case of authentication failure etc). > > Am I getting it right or am I misinterpreting ? Ah, no, you're not correct. You're talking about the artifact profile, in which a Request is sent with the artifact inside to get a Response containing the assertion. It's not an AuthenticationQuery. There is no profile in 1.1 that uses that query type, nor am I aware of any wide use of it, unlike the other two queries. > In SAML2.0 Web Browser Profile, the Assertion is returned directly in > response to the AuthnRequest made by an Relying party ( SP ) which is > different from SAML1.1 where "Browser redirect" was used for returning > Artifact to the Relying party; which then would send a SOAP/SAML > Request ( as mentioned above and also step 6 in the diagram ) to get a > corresponding Assertion in SOAP/SAML Response. No, SAML 2.0 fully supports the old model of using an artifact or POST to deliver the response. In 1.1, they were separate profiles. In 2.0, they are described in terms of separate bindings with a single profile. The language you used above is just as applicable to the 1.1 POST profile, it's not something new in 2.0. There just wasn't a formal AuthnRequest flow in 1.1. > Also,does HTTP Artifact binding require both SP and IDP to send > artifacts first and then pull the actual request or response. Is this > is a replacement ( refinement ) of the Browser Artifact profile ? No and yes. The Artifact, Redirect, and POST bindings can be combined as needed on each half of a request/response exchange. I can send the AuthnRequest with Redirect via GET and get back an artifact representing the Response. That is in fact probably a common case. And yes, this use of artifact is a re-working of the idea behind the artifact profile in 1.1, so that it can be used on either end and used across all the protocols in SAML in a common way (i.e. you implement the basic machinery once for all messages). -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]