OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [saml-dev] Design question using SAML

Dear all,

I hope my question(s) will be in the scope of this mailing list. I am
new to SAML, I have read the documents available on the OASIS website
regarding SAML, and I would like to make sure that my understanding of
SAML is correct, in order to make a good implementation in our project.

Basically, our project involves a central server, that receives requests
from different clients, and that is in charge of validating the requests
(i.e. giving authorization or not); authorized requests are then sent to
request processors, that might need to get information about the
originator of the request.

In this design, a client will authenticate with the central server. I
understood that SAML does not provide authentication mechanisms, only a
way to assert that a subject has been authenticated by one mean or
another. Is this correct? 

If yes, the central server must include a 'Access Manager', that
performs the authentication, and generates a SAML assertion, containing
one authentication statement and one ore more attribute statement(s).
What happens with this assertion? Is it forwarded to the client, so that
it includes it with every request? Or is it stored in a 'Assertion
Repository', and only a reference to it is returned to the client?

Now that the client has an Assertion stating who he is, he is now
allowed to send a request, with the received assertion (or assertion
reference) to the central server, more precisely to the Access Manager.
In order to perform correct authorization, what should be its next
steps? Should the Access Manager (AM) trust the assertion? If it does
not trust it, how could it validate it? 

When AM is sure about the assertion's validity, should it ask an Policy
Decision Point that would decide, based on the requestor's attributes
present in the assertion, and on its own policy database, whether or not
the action should be allowed? In this case, AM would send a SAML query
to PDP that would reply with a SAML response, containing a Authorization
Decision Statement.

If the action is authorized, the request is finally sent to one or more
request processors. If such processors wants to validate the assertion
received, where should it check?

Thanks a lot for your help

Jean-Noel Colin

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC