OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Use of ECP Profile




Jean-Noel Colin wrote on 10/25/2004, 9:30 AM:

Jean-Noel Colin wrote on 10/25/2004, 8:08 AM:
Regarding the use of ECP, I fully agree that a SP does not have to know where the IdP is, but as in my case, a SP may also be a ECP (in case of service chain), it means that each SP in the chain has to know which IdP to use, or that this information is carried in the request for service.
if SPA is acting as ECP to another SP (say SP-B), then SP-A would indicate that it is an ECP in the HTTP headers so that SP-B would send the request to the SP-A ECP which would then know where  the IdP is.
[Jean-Noel Colin] what if SP-A can't act as ECP because it does not know which IdP to use? Could it then act as a proxy, so that it would appear as the IdP to SP-B, but in fact resend the AuthnReq to UE? So in a first step, UE invokes SP-A, which sends back an AuthnReq to UE which calls on the IdP... When later SP-A calls SP-B, SP-B sends the AuthnReq to SP-A, which sends it back to UE and we are back to the previous case. This would deal with arbitrarily long service chains. Do you see anything wrong with this?
My answer was in respone to you saying "a SP may also be an ECP".   As I have pointed out, none of this needs to be done with an ECP.  SP-A (assuming the user has already been authenticated to it), will know where the IdP is (and your model was that the user goes from IdP to SP-A to SP-B, so at the time you go from SP-A to SP-B, SP-A does know where the IdP is.
What if we have an arbitrarily long chain? SP-B may in turn call SP-C which will call SP-D. In this case, how does SP-B know which IdP to contact?
SP-B gets an AuthnResponse that includes the identification of the IdP and can use this subseqently.
[Jean-Noel Colin] In this model, this means that SP-B receives an unsollicited AuthnResponse about a subject, but would not have received any prior service invocation. Does this mean that it would 'cache' the AuthnAssertions received, so that when SP-A invokes it, it already has an authentication context and is thus able to serve the request?
No... after reading the rest of your note where you point out that this is a server to server call, you can't use the normal AuthnRequest/AuthnResponse methods, even with an ECP.  I think you need to expore other solutions.
Note that for service to service calls, I don't recommend going through a browser (although it can work)... I'd recommend using some form of web services infrastructure that can go directly from service to service without involving the browser.  This is the kind of stuff we built into Liberty's Web Services Framework.

[Jean-Noel Colin] In fact, our whole model is not using browser, except as an entry point. All interaction beyong the user's main portal (what I called User ENvironmnent - UE before) is done through web services. And basically, what we want to achieve is that each service should authenticate the requester before actually serving any request.
First off, Note that *ALL* of my previous responses had to do with how to do this kind of thing in a browser/ECP based model, not a service to service web services model.

For Service to Service calls, I recommend you look at ID-WSF as it solves this.  Alternatively, you need a method that SP-A can use on the IdP to ask for a toke for SP-B that SP-A can include on it's service request to SP-B (then, if SP-B needs to call SP-C, it, looking at the token, can locate the IdP and use the same method to ask for a token for SP-C). 

Conor


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]