[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML, trust and WS.
Hi after a better look at the specs and situations, I can better see the differences between SSO assertion and WS assertion. My problem though is if I was to implements something like : WebBrowser to talk to SPA in order to access some ResourceA (which actually uses some WebServiceA). SPA trusts IDPA. Now if I wanted to provide this capability my expectation would be that when WebBrowser tries to access ResourceA to: a) SPA to do SSO with IDPA and so get an Assertion(SSO). b) ResourceA actually now needs to invoke WebServiceA but he now needs an WS assertion. So he will then need a new Assertion ? The problem here is how can I bundle this together ? If I don't bootstrap from SSO how can I get the WebService Assertion (SAML Token) ? thanks. Giuseppe. -----Original Message----- From: w i l l [mailto:oasis.saml@javafreelancer.net] Sent: 05 December 2005 18:40 To: saml-dev@lists.oasis-open.org Subject: RE: [saml-dev] SAML, trust and WS. > I think that in most cases the invocation model (parties and > security context) will be different and that a token generated > for browser based SSO will typically be different than a token > generated for web service invocation i think this should be stressed over and over. speaking from my own experience, i bet that there are a lot of developers that are new to saml, attempting to implement some saml-based security system but have not grasped that the saml assertion referred to in the simple saml 1.x sso profile is used for a different purpose (and in a different context; and using a different delivery mechanism/protocol) than a saml assertion used in a wsse:Security header. another thing that us non-experts get easily tripped up on i think, is that there are significant differences in what you can do with saml 2 compared to what you can do with saml 1.x. in the project i am working on, we are constrained to saml 1.1. the eureka moment didn't come for me until i eventually realized that 1) saml on its own only goes so far; and 2) the Liberty Alliance and the ws-* stack are two distinct approaches to the same problem. the confusing thing is (at least it was for me) the fact that they both use ws-security and saml assertions. if i were to advise any newbies out there like myself i would say first establish from which context (Liberty or ws-*/saml 1.x or saml 2) a given explanation of saml is coming in order to make sense of all of the different (often confusing) interpretations out there.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]