[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services-comment] Public Comment
In SAML 2.0, it is not a "browser/artifact SSO profile". There is a "browser SSO profile" and there is an "HTTP artifact binding", "artifact resolution protocol", and an "artifact resolution profile". Artifacts/artifact resolution now just provide a way to get a MESSAGE transferred from one SAML party to another. This is quite different from SAML 1.x, where an artifact referred to a specific ASSERTION and was only used to get a specific assertion transferred in a message from the asserting party to the relying party using a direct SOAP back channel. In 2.0, artifacts can be used for getting any message sent in either direction between parties. They no longer have anything to do with assertions. With that explanation out of the way, the reason for choosing the artifact profile in the first place is because you need to get the user's browser transferred from one site to the other in association with the message that is being transferred, but for various reasons, you do not want the actual message transferred via the browser (e.g. in URL params or a FORM POST). The artifact binds the browser session to the message being exchanged AND serves to redirect the user's browser to the other site in the process. For example, the user points their browser to an SP. Sure, the SP knows the IDP's SOAP endpoints and could directly send it an <AuthnRequest> message, but the IDP would not have access to the browser in order to challenge the user to log in. The SP has to redirect the user's browser to the IDP. Make sense? Rob Philpott Senior Consulting Engineer RSA Security Inc. Tel: 781-515-7115 Mobile: 617-510-0893 Fax: 781-515-7020 Email: rphilpott@rsasecurity.com I-name: =Rob.Philpott > -----Original Message----- > From: comment-form@oasis-open.org [mailto:comment-form@oasis-open.org] > Sent: Thursday, October 20, 2005 8:32 AM > To: security-services-comment@lists.oasis-open.org > Subject: [security-services-comment] Public Comment > > Comment from: L.Beekmann@intershop.com > > Name: Lars Beekmann > Title: Diplomand > Organization: Intershop > Regarding Specification: SAML 2.0 > > Hi @ all, > > could anyone tell me, what where the reasons that in the SAML Use-Cases > e.g. Browser/Artifact SSO profile there is no direct communication between > SP and IdP when the <AuthRequest> / <AuthResponse> are sent. The point of > my question is, that IdP and SP know each others SAML-SOAP-Endpoints so > why do they need to communicate by sending artifacts via e.g. HTTP > Redirect instead of directly sending SAOP messages to each other? Are > there security reasons? > > Thanks for your help! > Lars Beekmann > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-services-comment-unsubscribe@lists.oasis- > open.org > For additional commands, e-mail: security-services-comment- > help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]