[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: new to OpenSAML
Hi Francois, There are 2 parts to your question. First part is answered by SAML Assertions and Protocol document and the second part is answered partly across the Overview as well as some other documents. However, I will try to address briefly but recommed that you read the documents mentioned above. Browser/Artifact profile uses HTTP for transferring "artifact" information from SAML Authority or Responder to the Requestor. This artifact is then sent back by the Requestor to dereference the assertion from the Responder, this way helping both the requestor and the responder to be on the same page for a single instance of authentication. Ex. www.abc.com is a SAML Authority capable of providing SAML Authentication Assertions to other SAML Requestor , www.xyz.com in our example. Now as a start of the authentication process www.xyz.com will send a SAML Authentication Request to www.abc.com asking www.abc.com to vouch for then authenticity of the subject in the request. www.abc.com will authenticate the user. If authentication succeeds, www.abc.com will create an SAML AuthenticationResponse ( in corrrelation to SAML Request sent by www.xyz.com, see document for details ) containing SAML Authnetication Assertions. In addition to this, www.abc.com will also create an "artifact" that references this AuthenticationResponse and will send this "artifact" to www.xyz.com using a Browser/POST ( reason why called Browser Artifact profile ). www.xyz.com upon receiving the artifact can dissect it to validate the identity of the sender. It can then send back this artifact in a SOAP AuthnenticationRequest message to get the SOAP AuthenticationResponse message containing the actual assertion(s) towards the authentication request made by www.xyz.com. The artifact used is a one-time artifact ( see documents for details regd. artifcat format) to prevent replay attacks as you mentioned. Digital Signarture is used for ensuring confidentiality of the Request/Response being tranferred over SOAP/HTTP binding. Yes, the developers of such an architecture are anticipated to have knowledge of XML / PKI and other related technologies. That, however is an implementation issue and can be considered out of scope for SAML Specifications. -- Prasad. ____________________________________ Who ate my software ?