RE: [saml-dev] Non-web client authentication

["Cahill, Conor P" <conor.p.cahill@intel.com>]

> Well, the problem is not bad application and bad user, but 
> good user and bad application. A user should trust the 
> interface in which she enters her credentials. And a user 
> cannot trust a random application.

My point is that if you have an application running on the
system you *have* to trust it to be a good application unless
you have some trusted environment that prevents the
application from interfering with or simulating your credential
prompt.  Such trusted environments do not appear in most
application environments.

Moving credential collection from within an application to a 
separate browser window does *NOT* add any realistic amount
of trust or security as the user doesn't KNOW or have a way
to prove, that it is really a browser window vs a window 
displayed by the application.

The key concept being that if I can get an application onto
your computer,  I can do pretty much anything (even taking
over the keyboard).  So I question the statement that an 
application isn't trusted and I think that you are creating
a lot of work that don't add real security or trust value
to the overal equation.

> > That said, the probably easiest thing to do would be for your 
> > application to act as a local web server and do an authen 
> request to 
> > the IdP with a response going to 
> localhost:theportyourlistening to.  
> > Then your client could just act as an SP speaking to the 
> IdP through 
> > the browser SSO profile.
> 
> I do not fully understand your suggestion. Are you talking 
> about "webscraping" a login service. That's not a "real" solution.

I'm not talking about webscraping.  I'm talking about having your
application act as an SP making an authnrequest to the IdP.  You
can do this locally.  This SP would be at the address "localhost:port"
so that the idP could redirect the browser back to the application
with the authnresponse.

Conor