OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] Query regarding SAML 2.0 WEB SSO profile <AuthnRequest>


On Mon, Mar 8, 2010 at 3:34 PM, Hari Krishna <haki.nv@gmail.com> wrote:
>
> In web SSO profile, in the 3rd communication from Service Provider to
> Identity Provider via User Agent, it is mentioned that the Service Provider
> issues an <AuthnRequest> message to be delivered by the user agent to the
> identity provider. And also mentioned that HTTP Redirect, HTTP POST or HTTP
> Artifact binding can be used to transfer the message to identity provider
> through User Agent.

That's true. If the HTTP Artifact binding is used, the <AuthnRequest>
element is passed through the browser *by reference*. In the other two
cases, the <AuthnRequest> element is passed *by value*.

> But the HTTP Artifact binding uses <ArtifactResolve> (Artifact Resolution
> Protocol) and not <AuthnRequest> (Authentication Request Protocol). Even the
> <ArtifactResolve> is not derived form <AuthnRequest>. Since HTTP Artifact
> binding can only produce <ArtifactResolve> message, how this binding will
> work for WEB - SSO profile?

As of SAML V2.0, the authentication request can be passed by reference
via HTTP Artifact. Upon receiving the artifact, the IdP turns around
and issues an <ArtifactResolve> to the SP on a back channel. The SP's
response contains the <AuthnRequest> element. See

http://en.wikipedia.org/wiki/SAML_2.0#SP_Redirect_Artifact.3B_IdP_Redirect_Artifact

for details.

-- 
Tom Scavo
http://twitter.com/trscavo


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]