RE: [saml-dev] AuthnQuery on Synchronous Bindings

[Thomas Wisniewski <Thomas.Wisniewski@entrust.com>]

Title: RE: [saml-dev] AuthnQuery on Synchronous Bindings

Scott, by authentication request, I meant authenticating. As in your statement below

"... authenticating however it wants (WSS being one way) ..." What I meant was there are no saml 'protocols' for authenticating from one entity to another (in terms of sending credentials); you have to use other ways (WSS being one).

Tom.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Thursday, June 09, 2005 10:57 AM
To: 'Thomas Wisniewski'; 'Celsus Kintanar'; saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] AuthnQuery on Synchronous Bindings

> WSS could be used to do a back-channel (sync) binding. I
> don't believe there is any way in Saml to do an
> authentication request using a sync binding.

Sure there is. There just aren't any profiles that directly describe this at the moment, unless you include the ECP thing, which is "sort of" synchronous in that it sends the request to the IdP using SOAP.

WSS is a way of authenticating during the sending of a SOAP message, but at least in terms of SAML, a SOAP profile might be:

- SP responds to SOAP request with a fault (or maybe just an application
response) containing an AuthnRequest.

- Agent sends AuthnRequest to IdP using SOAP, authenticating however it wants (WSS being one way)

- IdP responds with SAML Response

- Agent delivers SAML Response to SP and receives security context and possibly application data

There are obviously lots of variables one could have, like whether the agent should just extract the assertion itself and use WSS in the final step, or having the agent use metadata to determine what it needs and just issue the AuthnRequest itself to the IdP.

It's quite possible, it's just not profiled.

-- Scott