OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Distributed IDP model

Title: Distributed IDP model

I'm wondering if/how SAML 2.0 protocols (browser artifact profile) support distributing the IDP role between two separate entities.

Say we have a circle of trust consisting of many IDPs and many SPs.  The IDPs handle primary authentication of end users, and the SPs consume SAML artifacts for single-signon purposes.  So far so good.

Now suppose the IDPs decide they don't want to invest in full-blown SAML servers.  Instead all members of the circle agree to designate one central entity to provide SAML services (artifact generation & validation, assertion generation) to all relying parties.

In this model, some steps normally carried out by an IDP are delegated to the central identity authority (CIA):

(1) IDP authenticates user
(2) CIA provides artifact to IDP
(3) IDP redirects browser to SP with artifact
(4) SP sends artifact to CIA for validation
(5) CIA provides assertion to SP
(6) SP provides online services to user

It's not clear to me how standard SAML protocols would support step 2 above.  What's needed is a SOAP request for which the standard response is a SAML artifact.

Did OASIS (or LAP) consider this type of distributed model?  Any guidance on this would be much appreciated.

Michael McCormick, CISSP
Lead Architect, Information Security
Wells Fargo Bank
255 Second Avenue South
MAC N9301-01J
Minneapolis MN 55479
(      612-667-9227 (desk)             7       612-667-7037 (fax)
(       612-590-1437 (cell)             J       michael.mccormick@wellsfargo.com (AIM)
2       612-621-1318 (pager)            *       michael.mccormick@wellsfargo.com

“THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS FARGO"
This message may contain confidential and/or privileged information.  If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein.  If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message.  Thank you for your cooperation.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]