[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Query regarding SAML 2.0 WEB SSO profile <AuthnRequest>
On Mon, Mar 8, 2010 at 3:34 PM, Hari Krishna <haki.nv@gmail.com> wrote: > > In web SSO profile, in the 3rd communication from Service Provider to > Identity Provider via User Agent, it is mentioned that the Service Provider > issues an <AuthnRequest> message to be delivered by the user agent to the > identity provider. And also mentioned that HTTP Redirect, HTTP POST or HTTP > Artifact binding can be used to transfer the message to identity provider > through User Agent. That's true. If the HTTP Artifact binding is used, the <AuthnRequest> element is passed through the browser *by reference*. In the other two cases, the <AuthnRequest> element is passed *by value*. > But the HTTP Artifact binding uses <ArtifactResolve> (Artifact Resolution > Protocol) and not <AuthnRequest> (Authentication Request Protocol). Even the > <ArtifactResolve> is not derived form <AuthnRequest>. Since HTTP Artifact > binding can only produce <ArtifactResolve> message, how this binding will > work for WEB - SSO profile? As of SAML V2.0, the authentication request can be passed by reference via HTTP Artifact. Upon receiving the artifact, the IdP turns around and issues an <ArtifactResolve> to the SP on a back channel. The SP's response contains the <AuthnRequest> element. See http://en.wikipedia.org/wiki/SAML_2.0#SP_Redirect_Artifact.3B_IdP_Redirect_Artifact for details. -- Tom Scavo http://twitter.com/trscavo
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]