[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Non-web client authentication
I don't know how you can say that you don't trust an application running on the user's computer since that application, if it was a bad guy, could do pretty much anything on the computer including replacing the browser with their own thing that looks like a browser. On top of that, the application, once it gets the user signed in, is trusted to do the right thing for the user. That said, the probably easiest thing to do would be for your application to act as a local web server and do an authen request to the IdP with a response going to localhost:theportyourlistening to. Then your client could just act as an SP speaking to the IdP through the browser SSO profile. Conor > -----Original Message----- > From: Andreas Åkre Solberg [mailto:Andreas.Solberg@uninett.no] > Sent: Friday, March 03, 2006 9:29 AM > To: saml-dev@lists.oasis-open.org > Subject: [saml-dev] Non-web client authentication > > I need an authentication profile for clients that are not web-based. > In our architecture we cannot trust applications to handle > principal's credentials. > > We are planning to implement some compromise between user > comfort and user credential privacy. Here are an outline of > what we will do: > The application must initiate a authentication session with > the identity provider. It gets an session key back. (and an > url to open to the user) The application launches a browser > with the given URL including the session key. > The user must presents his credentials at the web page. > The identity provider login portal tells the user that he is > successfully authenticated and should return the application X. > The user clicks OK in the application signalling that > authentication is performed. > The application sends a request to the identity provider with > the session key asking if the user is successully authenticated. > The application gets back a response that the user is > successully authenticated, and may be some user attributes. > > The protocol between the application and the IdP is SAML. > > Here are some old draft with more details, but somewhat outdated: > http://domen.uninett.no/~andreas/FEIDE/nonweb-profile.html > > Are there anyone who have standardised something like this. > And if not is there any interest of doing so within oasis. If > not are there any other forum that could be interested - Liberty? > > I would think that there should be several others that have > the same problems that we have, and have implemented it > somehow, please point us in direction of other similar approaches. > > Kind regards > Andreas. > > -- > Andreas Åkre Solberg > Andreas.Solberg@uninett.no > UNINETT - http://uninett.no > > Contact Info and PGP Public Key: > http://andreas.solweb.no/?Account=Work > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]