[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Questions related to SAMLv2.0
On 3/12/14, 3:58 PM, "Tom Scavo" <trscavo@gmail.com> wrote: >On Wed, Mar 12, 2014 at 2:32 PM, Security Developer ><security.developer22@gmail.com> wrote: >> >> 1- How persistent name identifier will be established between IDP and >> multiple SPs when using SAML webSSO profile? > >Practically speaking, Persistent NameIDs are created at the IdP and >passed to SPs just-in-time, they are not prearranged in advance. I think maybe the OP is asking about how to avoid them being unique at every SP. One answer is that you don't use them for that use case, use something else. Another is the concept of Affiliations from Liberty that were included in SAML, which group SPs into sets that get the same identifier from the SP. >>3- In which request form SAML assertions pass from one SP to another and >>so >> on in order to achieve webSSO? > >In my world, anyway, assertions travel from IdP to SP only. The only >exception is the IdP Proxy (which you can read about in SAML Core). In >that case, the IdP Proxy is both a consumer and producer of >assertions, that is, it is both an SP and an IdP. Put another way, SSO in SAML and the protocols it copied and that copy it is a function of authentication at the IdP, and not of the protocol itself. SPs don't give each other SSO, using a cookie or certificate to authenticate to the IdP does. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]