RE: [security-services-comment] Public Comment

["Philpott, Robert" <rphilpott@rsasecurity.com>]

In SAML 2.0, it is not a "browser/artifact SSO profile".  There is a
"browser SSO profile" and there is an "HTTP artifact binding", "artifact
resolution protocol", and an "artifact resolution profile".

Artifacts/artifact resolution now just provide a way to get a MESSAGE
transferred from one SAML party to another. This is quite different from
SAML 1.x, where an artifact referred to a specific ASSERTION and was
only used to get a specific assertion transferred in a message from the
asserting party to the relying party using a direct SOAP back channel.

In 2.0, artifacts can be used for getting any message sent in either
direction between parties.  They no longer have anything to do with
assertions.

With that explanation out of the way, the reason for choosing the
artifact profile in the first place is because you need to get the
user's browser transferred from one site to the other in association
with the message that is being transferred, but for various reasons, you
do not want the actual message transferred via the browser (e.g. in URL
params or a FORM POST).  The artifact binds the browser session to the
message being exchanged AND serves to redirect the user's browser to the
other site in the process.

For example, the user points their browser to an SP.  Sure, the SP knows
the IDP's SOAP endpoints and could directly send it an <AuthnRequest>
message, but the IDP would not have access to the browser in order to
challenge the user to log in.  The SP has to redirect the user's browser
to the IDP.

Make sense?

Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
Email: rphilpott@rsasecurity.com
I-name:  =Rob.Philpott


> -----Original Message-----
> From: comment-form@oasis-open.org [mailto:comment-form@oasis-open.org]
> Sent: Thursday, October 20, 2005 8:32 AM
> To: security-services-comment@lists.oasis-open.org
> Subject: [security-services-comment] Public Comment
> 
> Comment from: L.Beekmann@intershop.com
> 
> Name: Lars Beekmann
> Title: Diplomand
> Organization: Intershop
> Regarding Specification: SAML 2.0
> 
> Hi @ all,
> 
> could anyone tell me, what where the reasons that in the SAML
Use-Cases
> e.g. Browser/Artifact SSO profile there is no direct communication
between
> SP and IdP when the <AuthRequest> / <AuthResponse> are sent. The point
of
> my question is, that IdP and SP know each others SAML-SOAP-Endpoints
so
> why do they need to communicate by sending artifacts via e.g. HTTP
> Redirect instead of directly sending SAOP messages to each other? Are
> there security reasons?
> 
> Thanks for your help!
> Lars Beekmann
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
security-services-comment-unsubscribe@lists.oasis-
> open.org
> For additional commands, e-mail: security-services-comment-
> help@lists.oasis-open.org