Tim,
Slight return on a popular issue.
You claim that you are satisfied with the
current browser profile but anyway claim that the Push model
due to inferiority, will not get popular, and
in another posting claim that the Push model is "brain
dead".
I don't see the
point of standardizing a thing that is brain dead. It would be nice if
some other persons
would like to comment on this. I.e. if a
thing is technically "possible" but has built-in flaws
that
have no good solutions, I think it should be
outside of a standard in order to promote interoperability.
I have as you may have noted, not come to the
same conclusions regarding the push model (my two
contributed documents fully address all your
concerns) but that is another thing.
And the question
remains: Should SAML really standardize things that are
"brain dead"?
regards
Anders R
----- Original Message -----
Sent: Wednesday, July 25, 2001
23:51
Subject: First contact
Colleagues - I've given consideration to the "first
contact" issue, and satisfied myself that the current browser
profile satisfies the requirement.
For those interested in the details ...
Remember, the question is ... what will be the message
flow if the subject first goes to a site that has protected content,
rather than first going to an authentication site?
Push model
Browser
Content site
Authentication site
1 <-----------
redirect----------
2
-------------redirect----------------------------------->
3
<-------------------------authenticate------------------>
4
<-------assertion-------
5
--------reference------>
6
<-----------------------------------redirect(reference)--
7 --------redirect(reference)--->
Pull model
Browser
Content site
Authentication site
1 <-----------
redirect-------------
2
-------------redirect----------------------------------->
3
<-------------------------authenticate------------------>
4
<-----------------------------------redirect(reference)--
5 --------redirect(reference)------>
6
--------reference------>
7
<--------assertion------
The Push model leaves questions like ...
How does the Authentication site know where to send the
assertion?
How does the Authentication site know
what attributes to include in the assertion?
Furthermore, the authentication thread is occupied waiting for
the reference to return from the Content site.
This might all just mean that the Push model becomes
less popular than the Pull model in this situation.
In both cases, the Content site has no opportunity to
indicate its authentication requirements (one or two factor, for
instance). But, perhaps, each Authentication site URL should be
dedicated to a single authentication policy. Then the Content site
chooses the policy by redirecting the browser to the appropriate
URL.
Step 6 in the Pull model is a SAML request for one or
more assertions. The request must be able to carry the reference
extracted from the artifact in the redirection steps (4 and 5) as well
as the list of requested attributes. So, I'll be checking the
schema proposals to ensure that this is possible.
Best regards. Tim.
-------------------------------------------------------------------
Tim Moses
Tel:
613.270.3183