[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: First contact
First contactHi Tim,
I appreciate discussions in this area as I feel that there are some less
clear things in SAML! Anyway, some comments in-line.
>Push model
>Browser Content site Authentication site
>1 <----------- redirect----------
>2 -------------redirect----------------------------------->
>3 <-------------------------authenticate------------------>
>4 <-------assertion-------
>5 --------reference------>
>6 <-----------------------------------redirect(reference)--
>7 --------redirect(reference)--->
>The Push model leaves questions like ...
>How does the Authentication site know where to send the assertion?
By having the redirect in #1-2 contain this information
>How does the Authentication site know what attributes to include in the assertion?
By having the redirect specify what it wants, and let the user or the
user's authority do some choices. Shibboleth use-case
>Furthermore, the authentication thread is occupied waiting for the reference to return from the Content site.
This is indeed a problem. The easiest solution is to not use
references but entire assertions:
http://www.x-obi.com/OBI400/andersr-browser-artifact.ppt
>In both cases, the Content site has no opportunity to indicate its authentication
>requirements (one or two factor, for instance).
It has that in the redirect.
Regards
Anders Rundgren
X-OBI
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC