[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] FW: SAML 2.0 Authentication Request Questions
Colin, One of the issues you have is the subject confirmation domain of the assertion received back by the Service Agency in step 4. A typical SAML IDP would generate an assertion for the Service Agency, not for your
Assertion Service SAML IDP (ASSI). So first step would be to get an assertion in step 4 that was usable at both the Service Agency and ASSI (or have a way for the Service Agency to ask the Login Service SAML IDP for an assertion for the ASSI – such as the
Liberty IDWSF Discover Service or Authentication Service). Once Service Agency has an authentication Assertion for the ASSI, you could handle step 5 in two steps and be fully within the standard: ·
Service Agency sends unrequested AuthnResponse with assertion to Assertion consumer URL at ASSI.
·
ASSI processes the assertion and creates “authentication Session” associated with that assertion and returns handle (e.g. as a cookie) ·
Service Agency sends AuthnRequest for attributes containing said handle and the ASSI process said request. ·
ASSI Sends response with assertion and attributes. The 2nd stage of this could probably more easily be handled with an AttributeQuery than AuthnRequest since that is actually what you are doing (as far as I can tell). Conor From: Colin Wallis [mailto:Colin.Wallis@dia.govt.nz]
Yea, we screwed up our elements in Request and Response somewhat..sorry ... :-) So.. 1) Is there any element to pass the SAML Assertions received in step 4, inside SAML AuthnRequest in step 5 other than extension element?
2) The attribute nametypes (name, DoB, gender etc) returned in step 7 will be a URI inside <AuthnContextClassRef> element. Any clearer? Cheers Colin -----Original Message----- On Thu, May 31, 2012 at 1:41 AM, Colin Wallis <Colin.Wallis@dia.govt.nz> wrote: > > 1. Can we use <AuthnContextDecl> element to pass SAML authentication > assertion in the authentication request to the assertion service? The <AuthnContextDecl> element is a child element of <AuthnContext> in the response, not the request, so I'm not sure what you mean... > 2. Can we use <AuthnContextClassRef> element to pass attribute names in > the authentication request to the assertion service? By reference? To what? Sorry I can't be of more help, perhaps you can clarify your questions a bit more. Tom ==== |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]