OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [saml-dev] B/A Profile and Subsequent Access Requests


As mentioned by Prateek (http://lists.oasis-open.org/archives/saml-dev/200212/msg00010.html), in the context of B/A Profile, the meaning of "Target" has to be mutually agreed upon by source site and destination site. In some cases, Target can also be ignored by the destination side, for example it can happen when the artifact receiver service and protected resource is the same entity.

For the first access request to a protected resource on the destination site, browser is redirected to the destination site artifact receiver service (ARS). ARS receives the artifact, processes it and using SOAP Binding, it resolves the corresponding assertion. Once the assertion processing is done successfully (validation etc), ARS authenticates the user locally and a session gets created for this remote user. The knowledge of this local session cannot be exchanged in a standard manner as SAML 1.0 does not specify any session exchange structures.

For the subsequent access requests to the protected resources on the destination site, there are two different variations.

a. User directly makes access requests to the destination site. For example

As there is no redirection from source site to destination site, SAML does not play part here.

b. User gets redirected from source site to destination site. For example, user accesses the following URL

In this case, Inter-SiteTransfer Service redirects the user to the destination site using 

This is a simple redirection from source site to destination site. Source site still creates the artifact as it does not know, if the user session exists on the destination site. There is no need to construct the assertion as assertion can be constructed at the time of artifact creation or later, when the assertion is retrieved using SAML protocol binding (Binding Spec lines #507, 508, which clearly says that source site can "find" or "construct" the requested assertions). When "protectedResourceA" resource (which is also ARS) receives the request to it, it does not have to process the artifact to get the assertion. Based on the already established identity (obtained from session), it allows or disallows the access request. So there is no SAML based information exchange for the subsequent access requests.

Summary: The above scenario is about B/A profile usage for the first access request to the destination site and a simple redirection (with Target and SAMLart parameters) from source site to destination site for the subsequent access requests.

My question is, is there anything illegal in this type of subsequent access requests?

Dipak Chopra

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC