[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?
> Q1: How does the Car Rental Given AuthN info to the Airline. > A1: One solution that we've considered is to pass the > Username around as part of a SAML message, which includes a > SAML token as a password surrogate. The Username is plaintext > (which may be hacked), but the SAML token is 'encrypted' and > not very useful if intercepted. I don't understand where the separate username comes in when you have a SAML token (which in all likelihood include the username in the Subject element). As far as a token being useful or not if intercepted, that will have a lot more to do with the subject confirmation in the assertion than with the fact of it being encrypted or not. If a SAML assertion has a "...:bearer" subject confirmation method, anybody who presents it to the relying party is treated as having confirmed the subject (even if the assertion is encrypted) and as such, it needs to be protected from interception. With respect to the question that Roger had asked, he wanted to know how the car rental agency would initiate the AuthnRequest (e.g. before there is a SAML token lying about). > In addition, the Car Rental and Airline may decide to share > Customer databases, so that a Web service (or other method) > call with the Username and SAML token can provide validation > of the request, as well as collection of Customer attributes > from the database. Web services weren't in the mix in Roger's example, but if you wanted to do them, all you need is the SAML token... You don't need to also pass along the username as it wouldn't be 'trusted' unless it was also referenced in the SAML assertion in which case it would just be duplicate information. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]