OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: new to OpenSAML


> > www.abc.com will authenticate the user. If authentication succeeds,
> > www.abc.com will create an SAML AuthenticationResponse  ( in
> > corrrelation to SAML Request sent by www.xyz.com, see document for
> > details ) containing SAML Authnetication Assertions.
> 
> This is incorrect interpretation. SAML assumes that a user has previously
> authenticated against the Authentication Authority. The Authentication
> Request is a request for information about this previous event.

You're also a little off. The 1.1 SSO profiles don't formally call out a
step that you can call an "authn request". The new 2.0 profile does, but 1.1
starts with the user at the source site, so authentication is pre-supposed.

> SAML1.1 core spec , 3.3.3 Element <AuthenticationQuery>
> 
> "The <AuthenticationQuery> element MUST NOT be used as a request for a
> new authentication using credentials provided in the request.
> <AuthenticationQuery> is a request for statements about authentication
> acts that have occurred in a previous interaction between the indicated
> subject and the Authentication Authority."

Right, but AuthenticationQuery isn't used anywhere in the SSO profiles and
it's entirely distinct from the use case being discussed.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]