saml-dev message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [saml-dev] Use of ECP Profile
- From: "Jean-Noel Colin" <jean-noel.colin@oxys.be>
- To: "'Conor P. Cahill'" <concahill@aol.com>
- Date: Mon, 25 Oct 2004 14:08:57 +0200
Dear Conor,
Thank you very much for your suggestion.
Regarding the use of ECP, I fully agree that a SP does not
have to know where the IdP is, but as in my case, a SP may also be a ECP (in
case of service chain), it means that each SP in the chain has to know which IdP
to use, or that this information is carried in the request for
service.
Regarding your suggestion of not using ECP, does this mean
that SP-A would adjust the AssertionConsumerServiceURL attribute to point to
SP-B? What would be the workflow?
User's environment (UE) invokes
SP-A
SP-A sends an AuthnReq to UE
UE sends the AuthnReq to its (known)
IdP
IdP respond to UE with a Response containing
AuthnAssertions
UE sends this response to SP-A
To complete the request, SP-A needs to invoke a service
from SP-B.
If SP-A submits an AuthnRequest to IdP for SP-B, if IdP
sends the AuthnResponse to SP-B, SP-B does not know about the service that is
being invoked (as SP-A did not issue the call)
If IdP sends the AuthnResponse to SP-A, this requires that
SP-A is able to send this back to SP-B with the call
parameters.
What if we have an arbitrarily long chain? SP-B may in turn
call SP-C which will call SP-D. In this case, how does SP-B know which IdP to
contact?
Thanks a lot for your help
Jean-Noel
Jean-Noel Colin wrote on 10/25/2004, 6:25 AM:
If I base myself on the ECP
profile, I guess that each service should send its own AuthnRequest to the
IdentityProvider, but as the services may be distributed, I don't think I
could use the Identity Provider Discovery Profile, which requires a common
domain.
I'm not sure you need ECP at
all, but with the ECP, the SPs don't need to know where the IdP is, the ECP can
know and direct the request appopriately. This depends on an intelligent
client/proxy to do the IdP locating work.
Without the ECP, you can do
what you are trying to do by pushing the authentications to the appropriate
service (so that when the user is at SP-A, and the SP wants to send the user to
SP-B, SP-A can submit an AuthnRequest to the IdP that it already knows
about asking for an authentication at SP-B. SP-B would have to be able to
deal with such an incoming request, but that's simply a trust model.
The only issue would be the fact that SP-B would receive an unrequested
AuthnResponse that was associated with an AuthnRequest that it did not
submit. To safely work around that, the two could agree on some
authenticator to be placed in the relay state.
Conor
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]