[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML, trust and WS.
Thanks for you comments all. Hand waving it certainly is! Don't want to expend too much effort until it's clear whether such a setup is required. Scott's example is for SPa to request something from an IdP for another entity down the line. So the IdP has to keep generating transients. I don't like this. It's not "compact" enough for me. I just like the idea of each SP taking care of it's own requirements. Tom - I'm not sure what you mean by the NameIdentifier issue. Off to think some more. Alistair -- Alistair Young Senior Software Engineer UHI@Sabhal Mòr Ostaig Isle of Skye Scotland >> - The basic thrust of the whitepaper seems to be attribute pull vs. >> push. If you're going to advocate pull, you're going to have to deal >> with the name identifier issue. > > I've done plenty of flow mock-ups involving multiple tiers and I never > needed anything special. Transients simplify things (avoids the need for > encryption), but ultimately anything works. You claim they don't (on other > lists) but without any actual reasoning that I've seen nor accept. > > As an example that doesn't involve a browser... > > C = desktop client that issues searches via SOAP > IdP = IdP (duh) > SPA = metasearch engine > SPB = repository > > 1. C sends authenticated AuthnRequest or WST STR or whatever to IdP to get > SAML token > > 2. IdP returns SAML token containing a transient ID issued for SPA plus > some > attributes > > 3. C sends SOAP request to SPA with SAML token attached (maybe bearer, > maybe > not, doesn't matter) > > 4. SPA determines C access using token > > 5. SPA sends AuthnRequest or WST STR or whatever to IdP with token from C > attached with WSS > > 6. IdP recovers identity of C from transient ID and if authz, returns new > SAML token containing a transient for SPB > > 7. SPA sends SOAP request to SPB with new SAML token attached (probably > HoK) > > 8. SPB extracts NameID from token and sends AttributeQuery to IdP > > 9. IdP recovers identity of C from transient ID, and maybe returns > attributes > > etc. > > Works across however many hops you want. The trick is defining the > messages > and what goes in the tokens. The identifier part of it is trivial because > only the IdP cares about them, unless you want a more persistent > identifier, > which is no different than any other attributes. > > -- Scott > > > --------------------------------------------------------------------- > This publicly archived list supports open discussion on implementing the > SAML OASIS Standard. To minimize spam in the > archives, you must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Alternately, using email: list-[un]subscribe@lists.oasis-open.org > List archives: http://lists.oasis-open.org/archives/saml-dev/ > Committee homepage: http://www.oasis-open.org/committees/security/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Join OASIS: http://www.oasis-open.org/join/ > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]