[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: End to end scenario
Hi, I'm working through some prototype SSO infrastructure for Web Services, and am hoping someone here can cross check my understanding of SAML. I have a SOAP service that requires authenticated access, one of the ways to get authenticated access is to send a SAML assertion in a WS-Security header (as per http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobs pec/html/ws-security-xml-tokens.asp) In this case does the SAML assertion follow the same pattern as the browser/POST profile ?, i.e. there's a bearer confirmationmethod ? I also have a SOAP client that works with the service, which we distribute to different customers, so this client will have to obtain this SAML assertion from whatever SAML infrastrucutre they've deployed. Can I just do a samlp:AuthenticationQuery to a local SAML server to obtain the assertion to send in the SOAP message to our server ? I'm little confused about samlp:AuthenticationQuery works, this article http://www.theserverside.com/articles/article.tss?l=Systinet-web-service s-part-6 seems to imply that I can use samlp:AuthenticationQuery as an authentication request, but this seems to require a username & password to send, which defeats the SSO aspects. The spec also says specifically that this call isn't for new authentication requests, but allows me to find out about previous authentications, would a password be required in that case ? If not what stops eve from getting an assertion for alice ? It seems like the browser/POST profile does a good job of tackling web apps, but there doesn't seem to be an equivilent for web services, is there some document/profile I'm missing, or is this something that'll get covered in SAML 2.0 ? Thanks Simon
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]