[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: First contact
Colleagues - I've given consideration to the "first contact" issue, and satisfied myself that the current browser profile satisfies the requirement.
For those interested in the details ...
Remember, the question is ... what will be the message flow if the subject first goes to a site that has protected content, rather than first going to an authentication site?
Push model
Browser Content site Authentication site
1 <----------- redirect----------
2 -------------redirect----------------------------------->
3 <-------------------------authenticate------------------>
4 <-------assertion-------
5 --------reference------>
6 <-----------------------------------redirect(reference)--
7 --------redirect(reference)--->
Pull model
Browser Content site Authentication site
1 <----------- redirect-------------
2 -------------redirect----------------------------------->
3 <-------------------------authenticate------------------>
4 <-----------------------------------redirect(reference)--
5 --------redirect(reference)------>
6 --------reference------>
7 <--------assertion------
The Push model leaves questions like ...
How does the Authentication site know where to send the assertion?
How does the Authentication site know what attributes to include in the assertion?
Furthermore, the authentication thread is occupied waiting for the reference to return from the Content site.
This might all just mean that the Push model becomes less popular than the Pull model in this situation.
In both cases, the Content site has no opportunity to indicate its authentication requirements (one or two factor, for instance). But, perhaps, each Authentication site URL should be dedicated to a single authentication policy. Then the Content site chooses the policy by redirecting the browser to the appropriate URL.
Step 6 in the Pull model is a SAML request for one or more assertions. The request must be able to carry the reference extracted from the artifact in the redirection steps (4 and 5) as well as the list of requested attributes. So, I'll be checking the schema proposals to ensure that this is possible.
Best regards. Tim.
-------------------------------------------------------------------
Tim Moses
Tel: 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC