[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?
My Two Cents: Q1: How does the Car Rental Given AuthN info to the Airline. A1: One solution that we've considered is to pass the Username around as part of a SAML message, which includes a SAML token as a password surrogate. The Username is plaintext (which may be hacked), but the SAML token is 'encrypted' and not very useful if intercepted. In addition, the Car Rental and Airline may decide to share Customer databases, so that a Web service (or other method) call with the Username and SAML token can provide validation of the request, as well as collection of Customer attributes from the database. Q2 Implied: How about reciprocity ? A2: If a Legal Trust agreement is set in place (and many major online companies already use these types of agreements within their proprietary systems), then I believe that my description above, will work bi-drectionally... And could fit multi-directions in a network environment. Another Option: Given that there are certain restrictions to proprietary Information, a 3rd Party Bridge could be established, and both the Car Rental and AirLine could agree to host the Customer Information (or just the Authentication server) on the 3rd Party host.... With appropriate changes to the scenario from there. [I can fill out the scenario, but I don't know how far into the details that I'm qualified to dive.] - Hank Simon -----Original Message----- From: Costello, Roger L. [mailto:costello@mitre.org] Sent: Tuesday, May 09, 2006 1:14 PM To: saml-dev@lists.oasis-open.org Subject: [saml-dev] I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used? Hi Folks, Below I have created a sample Single Sign-on (SSO) scenario. I would appreciate input on whether this scenario is consistent with the SAML methodology. There is one part in this scenario where I am particularly fuzzy about how things would work; I have called attention to that part with "QUESTION". All comments are eagerly welcomed. /Roger Scenario An airline and a rental car agency have decided to create a business relationship for their online services. It is decided that the airline will take care of customer security issues - it will store usernames and passwords, enforce password length and style, as well as how frequently the password must be changed. During an early stage of their business relationship (before going online), the airline informs the rental car agency of the security policy that it will enforce: - Each username must be unique. - A password must be at least 8 characters long, and must contain both uppercase and lowercase letters. - A password must be changed at least once every six months. - Users will be authenticated through the presentation of their username and password over a protected (HTTPS) session. - A user that logs in and is then inactive for more than five minutes will be automatically logged out. The rental car agency agrees to this security policy. The airline creates an XML document which contains all of the aspects of the security policy shown above. The XML document conforms to saml-schema-authn-context-ppt-2.0.xsd, and the XML document is placed at this URL: http://www.AirlineInc.com/authentication-context.xml The airline and the car rental agency then proceed to build their online services. ............. Now the airline and the car rental agency have their online services operational. Let's observe what happens when a user accesses their systems. Let's consider the case where the user is accessing one of the services for the first time. Case 1: The user's first access is to the Airline's service: http://www.AirlineInc.com The user is immediately redirected to this secure URL: https://www.AirlineInc.com The user clicks on the "Register Now" link, which takes him to a secure registration page. He registers a username and password. This information is stored on the airline's web site. Let's assume the user successfully registers. The user then proceeds to purchase an airplane ticket. Upon completion, the airline service provides a link to the car rental agency's service, which the user follows: https://www.CarRentalInc.com Now the user is interacting with the car rental agency's service. To avoid forcing the user the log in again, the car rental service will issue a SAML authentication request to the airline. QUESTION: How does the car rental service identify to the airline the person for which authentication information is requested? All that the car rental service knows is that an HTTP GET was issued to this URL: https://www.CarRentalInc.com I suppose that the car rental service could harvest some information from the HTTP GET header, but likely there isn't enough information in there to identify the user. I am fuzzy about how things would work at this point. Can someone help me? Let's push forward.... Somehow the car rental service is able to gather up enough information about the user and then issues a SAML authentication request to the airline. The authentication request is HTTP POSTed to this URL: https://www.AirlineInc.com/authentication_request The airline service parses the data in the authentication request, and constructs a SAML response XML document. In English, the SAML response says this: "This is in response to authentication request number ______. I successfully processed your request. I assert that the subject _______ (identity of the subject) was authenticated on _______ datetime through the presentation of username and password over a protected session. This assertion is valid from ______ datetime to ______ datetime." This response XML document is then returned in the payload of the response to the original HTTP POST from the car rental service. The car rental service receives the authentication response, parses it to discover that the user has been authenticated by the airline. The car rental agency then welcomes the user (who proceeds to make a car reservation). TaDa! Single Sign-on. Yea! Case 2: The user's first access is not to the Airline's Web site, but rather to the Car Agency's Web site: http://www.CarRentalInc.com I'd like to discuss this on another day. Before venturing into this case, I want to make sure that I understand the above case. --------------------------------------------------------------------- This publicly archived list supports open discussion on implementing the SAML OASIS Standard. To minimize spam in the archives, you must subscribe before posting. [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ Alternately, using email: list-[un]subscribe@lists.oasis-open.org List archives: http://lists.oasis-open.org/archives/saml-dev/ Committee homepage: http://www.oasis-open.org/committees/security/ List Guidelines: http://www.oasis-open.org/maillists/guidelines.php Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]