saml-dev message

Subject: RE: [saml-dev] I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Costello, Roger L.'" <costello@mitre.org>, <saml-dev@lists.oasis-open.org>
Date: Wed, 10 May 2006 15:41:42 -0400

> QUESTION:  When doing an HTTP redirect, can you add a 
> payload?  I thought a redirect was just altering an HTTP GET 
> URL to a different URL?  Is it really an HTTP redirect that 
> occurs?  I am fuzzy on what happens between the time the user 
> clicks on the link, to the time he arrives at the car rental 
> agencies' service.

Redirect payloads are on the query string. Beyond that I can't understand
your question. If you haven't actually read the SAML bindings and SSO
profile specs, you really should. They should answer all these questions.

> QUESTION: 
> The car rental service is now being presented with a pair of things: 
>       - a user, and 
>       - an unsolicited Authentication Response XML document. 

No, the user's browser is presenting a SAML Response message via some
binding, usually POST or Artifact.

> The car rental service is being invoked by an HTTP POST, so 
> the identity of the user is opaque to the car rental service, 
> right?  (There isn't sufficient information in the HTTP 
> header to identify the user, right?) 

The bearer of the Response containing a bearer-confirmed Assertion is by
definition "the user". That's how SSO works. There's no header involved.

> How does the car rental service know that the Subject in the 
> Authentication Response XML document corresponds to the user?  

This is a tautology. You're not getting the bearer concept, I don't think.

> 2. The Car Rental Agency Authenticates the User via Indexible 
> Referencing

It's indexical reference, and it's not "a second approach", it is how SAML
web SSO works, period. It's just a technical name for it.

> Scott Cantor described a technology that the car rental 
> service can use to obtain an Authentication Response XML 
> document for the user.  The technology is called indexible 
> referencing.  Here's how it works: 

No, what I did was try and explain the relationhsip between SAML SSO
messages and the user. The user is the one relaying the messages between thw
two web sites, and is implicitly the subject of them.

> The car rental service constructs an Authentication Request 
> XML document.  In this XML document the Subject is identified 
> as "the guy wielding the browser" 

This again is a tautology in SAML SSO.

> QUESTION: how is this expressed in a <saml:Subject> element?

It's not.

> The airline service parses the Authentication Request XML 
> document, and constructs an Authentication Response XML 
> document.  From Scott's email I am not sure what happens 
> next.  Does the airline service send the Authentication 
> Response XML document directly to the car rental service?  

No. The SAML SSO protocol exchange is mediated by the browser because that's
how the user is factored into it.

> Or, does the airline service send the Authentication Response 
> XML document to the user's browser, which then forwards it to 
> the car rental service? 

Yes. Always.

-- Scott

References:
- RE: [saml-dev] I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?
  - From: "Costello, Roger L." <costello@mitre.org>