[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Question - SP authorization check
Security Developer wrote at 2015-9-10 18:41 +0500: >In SP initiated web SSO, when SAML authentication response is received at >SP, the SP apart from other things validate the SAML assertion and creates >session of the user at SP. > ><saml:Subject> > <saml:NameID >Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> > 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 > </saml:NameID> > <saml:SubjectConfirmation >Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > <saml:SubjectConfirmationData InResponseTo="identifier_1" >Recipient="https://sp.example.com/SAML2/SSO/POST" >NotOnOrAfter="2004-12-05T09:27:05Z"/> > </saml:SubjectConfirmation> ></saml:Subject> > >If NameID format is "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" >then session at SP belongs to which user? Some user authenticated by the authority who generated the assertion. If you need more information, then you cannot use the "transient" NameID format. >because it is an opaque >information in NameID. Also how authorization checks will be performed at >SP as user is opaque in the assertion. The authorization is usually made based on the identity providing authority - not based on the individual user. The following is a typical scenario: Assume you have a cooperation of independent institutions where the cooperation allows institution members to use some services of the partner institutions. In this case, it is not necessary to know the individual member. It is only necessary to know that it is a member of a partner institution. -- Dieter
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]