[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML, trust and WS.
Hi,
moving on Web service investigation and security I came across at the SAML token profile.
If I understood it right this Token is used as part of a WS-security message to authenticate (and possibly authorize) a user.
The use case I have seen is the following:
UserA gets a SAML assertion (related to himself).
Then includes the Assertion as a Token in the WS-se message to the Service A
The things are not fully clear are the following:
Where the user gets the Assertion from ? IDP ? In the federated example/SSO it was clear what the relationship between user/SP/IDP was. with the Wsse I kind of don't get the full picture.
The Service somehow will have to trust the Asserting party even though in different trust domains ? Or this means that the user can only be authenticated in his trust domain ?
The SAML message will need to contain all the information necessary to the Service A to make the decision. I mean Service A don't need to go somewhere else to check that the assertion is valid as he has got all the info he requires. I guess it's here where subject confirmation might come in place ?
I hope the info in the question is clear enough, otherwise don't hesitate to ask for any farther details.
Thanks.
Giuseppe.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]