[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] AuthnQuery
> How about the use case where a user interacts with a > browser-based application that triggers a chain of > non-browser-based sub-processes, one of which wants to verify > the user's authentication before acting on his behalf? In > this case, that sub-process might not have access to the > authn assertion provided during browser authn/access to the > web app, but would be able to initiate a SOAP request to > obtain a new assertion. Right, well, classic n-tier. Hard problem. As soon as the customer sees what you have to do to solve it, suddenly security isn't so important. ;-) I think it had better have access to *something* from the original transaction, because me giving it my password isn't really the right answer. It needs a token of some sort to attach to its SOAP request, and then subject to policy, the IdP could give it a new token with me as the subject but the sub-process' confirmation key in it. Basic delegation or impersonation depending on the use case. If you come up with a way to do this that's sufficiently easier than Liberty ID-WSF, please let me know. I believe that I explicitly engineered the AuthnRequest and SAML 2.0 in general to support this use case. But it doesn't solve it for you without the extra headache-inducing machinery. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]