OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Re: new to OpenSAML

> I guess there is a step (step 6 in the digram) where the replying
> party has to send a SOAP/SAML Request to the SAML Authority i.e
> AuthenticationQuery. The corresponding SAML Response can then contain
> either Assertion with SAMLStatus=Success or just a SAMLStatus with an
> appropriate message ( as in case of authentication failure etc).
> Am I getting it right or am I misinterpreting ? 

Ah, no, you're not correct. You're talking about the artifact profile, in
which a Request is sent with the artifact inside to get a Response
containing the assertion. It's not an AuthenticationQuery. There is no
profile in 1.1 that uses that query type, nor am I aware of any wide use of
it, unlike the other two queries.

> In SAML2.0 Web Browser Profile, the Assertion is returned directly in
> response to the AuthnRequest made by an Relying party ( SP ) which is
> different from SAML1.1 where "Browser redirect" was used for returning
> Artifact to the Relying party; which then would send a SOAP/SAML
> Request ( as mentioned above and also step 6 in the diagram ) to get a
> corresponding Assertion in SOAP/SAML Response.

No, SAML 2.0 fully supports the old model of using an artifact or POST to
deliver the response. In 1.1, they were separate profiles. In 2.0, they are
described in terms of separate bindings with a single profile.

The language you used above is just as applicable to the 1.1 POST profile,
it's not something new in 2.0. There just wasn't a formal AuthnRequest flow
in 1.1.

> Also,does HTTP Artifact binding require both SP and IDP to send
> artifacts first and then pull the actual request or response. Is this
> is a replacement ( refinement ) of the Browser Artifact profile ?

No and yes. The Artifact, Redirect, and POST bindings can be combined as
needed on each half of a request/response exchange. I can send the
AuthnRequest with Redirect via GET and get back an artifact representing the
Response. That is in fact probably a common case. And yes, this use of
artifact is a re-working of the idea behind the artifact profile in 1.1, so
that it can be used on either end and used across all the protocols in SAML
in a common way (i.e. you implement the basic machinery once for all

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]