RE: Request for clarification

[Hal Lockhart <hal.lockhart@entegrity.com>]

Title: Request for clarification

If a System Entity authenticates directly with the Authentication Authority, that means is outside of SAML.

 

But it has been proposed to support an intermediate Credentials Collector (proxy login) that would be specified by SAML. This is technically difficult and may be restricted to a subset of AuthN methods as SASL is.

 

Hal

-----Original Message-----
From: Kawamoto, Shirley [mailto:SKawamoto@hitachisoftware.com]
Sent: Thursday, July 26, 2001 3:24 PM
To: 'Hal Lockhart'; Security-Services (E-mail) (E-mail)
Subject: RE: Request for clarification

Thanks for response.

 

I'm a little confused about your description. It sounded to me as though you were saying that the Credentials Assertion is still being handled by SAML only by a different sub group. On the other hand, it sounds as though the actual authentication sequence is outside of SAML. Could you please clarify?

 

Regards,

Shirley

-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Thursday, July 26, 2001 11:22 AM
To: Kawamoto, Shirley; Security-Services (E-mail) (E-mail)
Subject: RE: Request for clarification

If you refer to the Domain model: http://www.oasis-open.org/committees/security/docs/draft-sstc-use-domain-05.pdf

you will see that what you are asking about is a Credentials Assertion.

 

The Authentication Assertion is a report of an authentication event which occured in the past. The request for an Authentication Assertion is not in of itself an authentication act.

 

The TC voted to break off the work activity around the Credentials Collector and Credentials Assertion into a separate sub group. This group is being led by Stephen Farrell. There have been no recent reports of progress by this group. If you are interested in this area you might want to contact Stephen and offer to help.

 

The way SAML is intended to work at the moment is the authentication occurs between the System Entity (typically a user) making a request and the Authentication Authority, by means specified outside of SAML, e.g. HTTP basic authentication, SSL with client certificates, etc. Other entities can request an Authentication Assertion describing that event as well as Attribute Assertions describing the System Entity.

 

Hal

-----Original Message-----
From: Kawamoto, Shirley [mailto:SKawamoto@hitachisoftware.com]
Sent: Tuesday, July 24, 2001 2:17 PM
To: Security-Services (E-mail) (E-mail)
Subject: Request for clarification

As someone who is new to this group, I hope you'll forgive me for asking some questions that may have some obvious answers.

If a user is authenticating via userID and password, where is the password passed in the authentication query? What form does it take?

If a user is being authenticated with public key techniques (but something other than SSL client authentication) where are the challenge and the signature on the challenge stored? What form do they take?

Thanks,
Shirley