OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Use of ECP Profile



Jean-Noel Colin wrote on 10/27/2004, 6:11 AM:

[Jean-Noel Colin] 
Couldn't SPA act as a proxy to SPB? In this particular case, SPA, acting as a ECP to SPB, would invoke SPB, get an AuthnRequest from SPB, and since it is not able to authenticate the user (as it is not a 'full' IdP), would relay the request to the original ECP, which knows which IdP to use.
 
I drew a sequence diagram that I attach. Could you please tell me what's wrong with it?
Because the IdP and the ECP sitting in front of the user are *obligated* to return the authnresponse to SP-B, not SP-A, so the user, at that point, would now be sent to SP-B, thereby taking SP-A out of the loop.
I might have not been clear while explaining my architecture, so let me put a small picture:
So I think you need at least an AuthenticationService interface to the IdP that let's SP-A ask for a token for SP-B and then include that token as appopriate on the call to SP-B.  This can be more complex than simply including a token (hence the Discovery Service in ID-WSF).

[Jean-Noel Colin]   I guess you call 'token' an Authentication Assertion?
Yes, I was using the term "token" to mean security token which, in the case of SAML is an Authentication Assertion.
So when SPA wants to invoke another service, it requests a token from the IdP (how does it know the IdP? From the response he got from the ECP?) and include that token in its request to SPB?
The Identity of the IdP is in the assertion that SP-A receives (the Issuer of the token).
What would be the added value of the Disco Service from WSF? I understood it as a directory of services? Do you mean that that directory service could be used to indicate which requirements apply to SPB, so that when SPA wants to invoke SPB, it knows which type of token to include? Does this refer to the SecurityMechID element of the Service Instance Description?
The Disco Service returns a) the location of SP-B, b) the security token(s) needed to access SP-B and c) the security mechanism that should be used by SP-A when invoking SP-B.  Note that the SecurityMechID is not just which token to include, but how to provide message and transport authentication.

Conor

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]