[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] RE: [saml-dev] asynchronous response on SAML overSOAP over HTTP
Keep in mind, the SOAP binding is only required when it is necessary retrieve Assertions out of band. This is used for example, in the Browser/artifact Profile.
In the case of a transaction, our assumption had been that the Assertions would travel with the application data, in a header. Thus it would automatically be synchronous or asynchronous depending on the message. However, in this scenario, the SAML request/response protocol would not be used, only the Assertion. This interaction is currently specified in the draft WS-Security Profile.
We are now planning to support the WS-Security Token Reference scheme. The way this would work would be:
1. An SAML Assertion ID would be sent in the Token Reference Header, along with the application data, from the application client to the application server.
2. The application server, if it did not already have a copy of the assertion would retrieve it from the Asserting Party (e.g. Attribute Authority). This would be done using the SOAP Binding.
Even in this case, it is not clear the SOAP Binding, (as distinct from the WS-Security Profile) needs to support asynchronous messaging. It seems to me that once the application had received the asynchronous request and was ready to act upon it, it would want to retrieve the Assertion immediately. Therefore is seems that the application to Authority channel could remain synchronous even if the client to server channel is asynchronous.
What do you think?
Hal
> -----Original Message-----
> From: Yuji Sakata [mailto:ysakata@rd.nttdata.co.jp]
> Sent: Tuesday, July 09, 2002 9:53 AM
> To: Hal Lockhart; saml-dev@lists.oasis-open.org
> Subject: RE: [saml-dev] asynchronous response on SAML over SOAP over
> HTTP
>
>
>
> > You are correct that the SOAP Binding is currently only
> synchronous. The
> > idea was to support a simple, mandatory to implement
> scheme, to insure basic
> > interoperability. Frankly no one mentioned this as a
> requirement. Our main
> > focus has been online environments in which an answer is
> needed immediately.
> Thank you for your reply. I have been able to understand the
> specification more deeply.
> Now I'm developing SAML-aware access management system.
> It affects architecture design whether SOAP Binding supports
> asynchronous response or not, so I ask saml-dev ml about
> this question.
>
> > The SSTC (SAML) is preparing to begin work on new features
> very soon. It
> > would be good to submit this requirement. Do you have a
> usecase in mind that
> > would clarify how this capability would be used?
> I think the back-office transaction use-case, which has been
> already
> proposed, will require an asynchronous,reliable transport
> mechanism like
> ebXML for sending arbitrary e-business transaction documents(ex.
> invoices, bill...) as assertions. So I think I have to consider an
> asynchronous transport in designing the architecture.
> Is it my misunderstanding?
>
> Best Regards,
> ----------------------------------------------
> NTT Data Corporation
> Yuji Sakata
> Tel: +81-3-3523-8081
> E-Mail: ysakata@rd.nttdata.co.jp
> ----------------------------------------------
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC