[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Problem with recognizing the assertion consumer
On 11/23/06, Bartosz_Leper@drq.pl <Bartosz_Leper@drq.pl> wrote: > > I've got a question concerning SAML 1.1. My situation is simple: I've got a > single SAML Authority (Identity Provider) and multiple Assertion Consumers > (Service Providers). I use the Browser/POST binding for exchange SAML > messages. The dataflow is pretty standard: > > 1. Service Provider sends an AuthenticationQuery to the Identity Provider > through the user's browser > 2. Identity Provider responds with an assertion through the user's browser. Actually, this is *non*standard in SAML V1.1, which specifies that all flows begin at the IdP. AuthenticationQuery is something else altogether. > The specifications I've read (and I've read pretty much stuff) all claim > that the assertion consumer's service URL should be known by the SAML > Authority. OK, I agree with that - we have all this kind of stuff > configured. But here's the tricky part: we have MULTIPLE assertion > consumers. What is the standard way of distinguishing between them? Well, in SAML V2.0 (and other protocols that have an AuthnRequest) the unique identifier of the SP is handed to the IdP so that the authn response can be targeted to a particular SP. The IdP consults metadata for the corresponding endpoint locations at the SP. > In other words: the Identity Provider receives a SAML request. It > authenticates the user and then sends the response back... but where? How > does it know WHICH Service Provider is the origin of the request? Again, this is not possible in SAML V1.1. You have to invent an AuthnRequest protocol (see SAML V2.0). Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]