Re: [saml-dev] Design question using SAML

[Juzer Kothambawala <jkothamb@cisco.com>]

Jean-Noel,

Comments embedded..

At 01:22 PM 12/10/2002 +0100, Jean-Noel Colin wrote:
>Dear all,
>
>I hope my question(s) will be in the scope of this mailing list. I am
>new to SAML, I have read the documents available on the OASIS website
>regarding SAML, and I would like to make sure that my understanding of
>SAML is correct, in order to make a good implementation in our project.
>
>Basically, our project involves a central server, that receives requests
>from different clients, and that is in charge of validating the requests
>(i.e. giving authorization or not); authorized requests are then sent to
>request processors, that might need to get information about the
>originator of the request.
>
>In this design, a client will authenticate with the central server. I
>understood that SAML does not provide authentication mechanisms, only a
>way to assert that a subject has been authenticated by one mean or
>another. Is this correct?

Yes, this is correct. The act of authentication is outside the scope of the 
SAML specification.


>If yes, the central server must include a 'Access Manager', that
>performs the authentication, and generates a SAML assertion, containing
>one authentication statement and one ore more attribute statement(s).
>What happens with this assertion? Is it forwarded to the client, so that
>it includes it with every request? Or is it stored in a 'Assertion
>Repository', and only a reference to it is returned to the client?

There can be two possibilities in this scenario. Either client gets the 
actual authorization assertions or a reference to it. Then at the Policy 
Enforcement Point (PEP) if the reference was received then it would have to 
be de-referenced by issuing a SAML request query to authority (or provider) 
holding the actual assertion and may also include query for attribute 
assertions for subject in question. It assumed here that the assertions are 
digitally signed to maintain its integrity and validity.

>Now that the client has an Assertion stating who he is, he is now
>allowed to send a request, with the received assertion (or assertion
>reference) to the central server, more precisely to the Access Manager.
>In order to perform correct authorization, what should be its next
>steps? Should the Access Manager (AM) trust the assertion? If it does
>not trust it, how could it validate it?

It is assumed here that authorities and the enforcement points (Access 
Manager) part of the same SAML framework where there is a pre-established 
trust relationships.

>When AM is sure about the assertion's validity, should it ask an Policy
>Decision Point that would decide, based on the requestor's attributes
>present in the assertion, and on its own policy database, whether or not
>the action should be allowed? In this case, AM would send a SAML query
>to PDP that would reply with a SAML response, containing a Authorization
>Decision Statement.

Yes, PDP is consulted when a subject is requesting for a resource that is 
guarded by the PEP.

>If the action is authorized, the request is finally sent to one or more
>request processors. If such processors wants to validate the assertion
>received, where should it check?
>
>Thanks a lot for your help
>
>Jean-Noel Colin
>
>
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>

Juzer Kothambawala
Global Commerce Technology Group
AIM: juzersk
Phone: (408) 525-0814
Email: jkothamb@cisco.com