[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Contradictory requirements?
>>>>> "TM" == Tim Moses <tim.moses@entrust.com> writes:
TM> Colleagues - I would like SAML to standardize protocol
TM> profiles that enable daisy-chained single-sign-on and
TM> application-chain scenarios for the standard commercial
TM> browser that do not require the final relying party to know of
TM> and trust every link in the daisy-chain. I believe this will
TM> involve each relying party redirecting the browser to the
TM> original asserting party, either directly or via its own local
TM> authority (for the inter-domain case). Such a solution would
TM> be consistent with my interpretation of the requirements, with
TM> the exception of the second sentence in [R-Intermediaries].
TM> Would others consider such a profile to be in or out of scope?
I'm not sure I believe it's actually required.
Here's my idea of how to get the effect you're looking for. I'm using
a "pull method", but i can draw out a "push method", too.
1) Web User asks Web Server 1 to be transferred to Web Server 2.
2) Web Server 1 creates a one-use ticket, Ticket 1, and then redirects
Web User to Web Server 2.
3) Web Server 2 sends Ticket 1 to Web Server 1, requesting an AuthC
assertion associated with the ticket, and Web Server 1 returns the
AuthC Assertion 1.
4) Fickle-hearted Web User asks Web Server 2 to be transferred to Web
Server 3.
5) Web Server 2 creates a one-use ticket, Ticket 2, and then redirects
Web User to Web Server 3. Note that Ticket 2 != Ticket 1.
6) Web Server 3 sends Ticket 2 to Web Server 2, requesting an AuthC
assertion associated with the ticket. Web Server 2 returns AuthC
Assertion 1 (the assertion made by Web Server 1).
etc., etc., etc.
There's another possibility here, of course, which is adding some
"callback" data into the ticket itself. In this scenario, the steps
would go something like:
1) Web User asks Web Server 1 to be transferred to Web Server 2.
[Note that if we could get these ^%&$#! Web Users to just stay put,
we'd all have a much easier job. B-)]
2) Web Server 1 creates a MAGIC ticket, Ticket 10, and then redirects
Web User to Web Server 2. The magic ticket has a format like (off
the top of my head]:
{{Web Server 1}{time}{IP Address} Digital Signature}
3) Web Server 2 looks at the MAGIC ticket, and since it sees {Web
Server 1} embedded in the ticket, it asks Web Server 1 for an AuthC
Assertion, which it gets.
4) Web User (!!) asks Web Server 2 to be transferred to Web Server 3.
5) Web Server 2 redirects Web User to Web Server 3, passing the same
MAGIC ticket, Ticket 10.
6) Web Server 3 looks at the MAGIC ticket, and since it sees {Web
Server 1} embedded in the ticket, it asks Web Server 1 for an AuthC
Assertion, which it gets. (Note: it doesn't talk to Web Server 2 at
all).
Web Servers 2 and 3 would probably also check to see that Web User is
coming from the IP address embedded in the ticket, and that the ticket
is less than N seconds old, where N is some constant defined by their
partnership with Web Server 1.
I don't particularly like this scenario, for a number of reasons:
* Once Moriarty has the MAGIC ticket (perhaps by compromising the
network between Web User and Web Server 2 or 3, or by compromising
Web Server 2 or 3 itself), he can use it willy-nilly for the N
seconds it's valuable. Because the ticket should be as long-lived as
it takes for Web User not to get annoyed from having to
re-authenticate, this could be quite long.
* The identification of Web Server 1, embedded in the ticket, is
undefined and possibly
* The ticket could get kinda large, what with the signature and all
the data and stuff.
OK, so, my two Eurocents worth.
~ESP
--
Evan Prodromou, Senior Architect eprodromou@securant.com
Securant Technologies, Inc. 415-856-9551
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC