Re: [saml-dev] Question about evidences

[Bhavna Bhatnagar <bhavna.bhatnagar@Sun.COM>]

Deleon,

Please see inline...

DELEON Frederic wrote:

Hi,

I would like to konw what is the interest of evidences.
Here is how I understand the specification :
  - a SAML client sends a request with an evidence inside the query,
this evidence contains an assertion ID (assertion reference),
  - a SAML server get this assertion ID and retrieve the corresponding
assertion without control about the assertion ID validity, then it
returns the assertion in an evidence element inside the statement

As far as I understand the assertion returned is a new one containing an
AuthZ statement .
The evidence ( assertion or assertion id ) sent to the server is a
proff of prior authentication
of the subject which is sent to the server to indicate that the subject
is already authenticated
and now an authz decision is queried for.

 

Is it correct ?
In which case a SAML client can create a request with an evidence (with
assertion ID) ? Where this assertion ID can come from ?

as stated above, this was obtained in a prior act of authentication either
via
SSO using artifact/POST profile or making an authn query.

 
The SAML schema allows giving an assertion instead of an assertion ID in
the evidence on the query. In this case what does the server check ?

Thanks in advance.

Frederic Deleon

To unsubscribe from this list, send a post to saml-dev-unsubscribe@lists.oasis-open.org, or visit http://www.oasis-open.org/mlmanage/.

-- 
________________________________________________________________________ 
Bhavna Bhatnagar                                Sun Microsystems Inc.            
Identity Management group        __o
Tel: 408-276-3591              _`\<,_   
                              (*)/ (*)
 ________________________________________________________________________