OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [security-services] RE: Is a separate "ArtifactReceiver" required?


FWIW:

The Shibboleth flow uses two parameters, one called "target" and one
called "shire".

The shire parameter is the acceptance point at the target site which the
source site would send the user back to once finished with local
authentication.

The target is the place the user wanted to go before being so rudely
interrupted.

It sounds like the Catalyst implementers were using the target to figure
out what the shire-equivalent URL should be, and then were sending the
user there without any further indication of where the user would then
be sent. That obviously won't work as a general mechanism for
"target-first" access.

The POST profile specifically calls out the TARGET form element as being
not the place where the assertion is posted but instead the resource the
user should be sent to afterwards. This is consistent with Shib's usage
(we copy the incoming target back out into the form verbatim).

Also FWIW, we know of lots of important or useful extensions that we'd
like to have available to provide more control, but have deferred that
until we can approach it with some formalism, whether we adopt Liberty's
approach, or perhaps contribute something to a SAML 1.1 discussion (my
preference at the moment).

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC