OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: End to end scenario


I'm working through some prototype SSO infrastructure for Web Services,
and am hoping someone here can cross check my understanding of SAML.

I have a SOAP service that requires authenticated access, one of the
ways to get authenticated access is to send a SAML assertion in a
WS-Security header (as per
pec/html/ws-security-xml-tokens.asp) In this case does the SAML
assertion follow the same pattern as the browser/POST profile ?, i.e.
there's a bearer confirmationmethod ?

I also have a SOAP client that works with the service, which we
distribute to different customers, so this client will have to obtain
this SAML assertion from whatever SAML infrastrucutre they've deployed.
Can I just do a samlp:AuthenticationQuery to a local SAML server to
obtain the assertion to send in the SOAP message to our server ? I'm
little confused about samlp:AuthenticationQuery works, this article
s-part-6 seems to imply that I can use samlp:AuthenticationQuery as an
authentication request, but this seems to require a username & password
to send, which defeats the SSO aspects. The spec also says specifically
that this call isn't for new authentication requests, but allows me to
find out about previous authentications, would a password be required in
that case ? If not what stops eve from getting an assertion for alice ?

It seems like the browser/POST profile does a good job of tackling web
apps, but there doesn't seem to be an equivilent for web services, is
there some document/profile I'm missing, or is this something that'll
get covered in SAML 2.0 ?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]