RE: [saml-dev] I have created a sample SSO scenario; Am I understanding

saml-dev message

Subject: RE: [saml-dev] I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?

From: "Cahill, Conor P" <conor.p.cahill@intel.com>

To: "Costello, Roger L." <costello@mitre.org>,<saml-dev@lists.oasis-open.org>

Date: Wed, 10 May 2006 13:40:49 -0700

1. The Airline Pushes an Unsolicited SAML Authentication Response to the Car Rental Agency

In this approach the user makes his way to the car rental service via an indirect route. Clicking on the link doesn't take him to the car rental service; instead, it takes him back to the airline service. Here's the link's URL:

https://www.AirlineInc.com/IdP/transfer?TARGET=https://www.CarRentalInc.com

Note the query parameter (the param=value pair after the question mark).

The airline service is activated and constructs an Authentication Response XML document. It then does an HTTP redirect (using the value of the TARGET query parameter), redirecting the user to the car rental service, and attaches the Authentication Response XML document as the payload of the HTTP redirect.

QUESTION: When doing an HTTP redirect, can you add a payload? I thought a redirect was just altering an HTTP GET URL to a different URL? Is it really an HTTP redirect that occurs? I am fuzzy on what happens between the time the user clicks on the link, to the time he arrives at the car rental agencies' service.

what actually happens is something along the lines of:

The browser goes to https://www.AirlineInc.com/IdP/transfer.

The AirlineInc.com site then processes the rest of the parameters on the URL (the won't necessarily be the car rental URL you've listed, it may be something as simple as "123928" which internally the Airline site has associated with the car rental company -- this is OK because the parameters at this point are just data sent from the Airline back to itself for parsing.

Upon figuring out that you want to go to CareRentalInc.com, the Airline site has (or looks up) the Metadata for CarRentalInc.com and generates an assertion appropriate for CarRentalInc.com (note also that for this to really work, the Airline must have some understanding of what is an acceptable assertion at CarRentalInc.com -- that happens out-of-band and out-of-scope for SAML).

AilineInc.com then, depending upon the profile being used, either a) sends an HTTP-Redirect to the browser which redirects the browser to the AssertionConsumptionURL with an Artifact, or b) sends an HTTP Form containing the assertion to the browser with javascript that does an automatic post to the AssertionConsumptionURL at CarRentalInc.com

The browser then pops over to the AssertionConsumerURl at CarRentalInc.com and CarRentalInc follows through on the appropriate protocol (dereference the artifact or just conuming the assertion if it was a post).

Assuming that succeeds, CarRentalsInc would typically redirect the browser to a more applicable page within carRentalsInc.com, providing the "logged-in" experience to the user.

this is but one of the many different sequences that could come into play.

Conor