OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] AuthnQuery

> How about the use case where a user interacts with a 
> browser-based application that triggers a chain of 
> non-browser-based sub-processes, one of which wants to verify 
> the user's authentication before acting on his behalf? In 
> this case, that sub-process might not have access to the 
> authn assertion provided during browser authn/access to the 
> web app, but would be able to initiate a SOAP request to 
> obtain a new assertion.

Right, well, classic n-tier. Hard problem. As soon as the customer sees what
you have to do to solve it, suddenly security isn't so important. ;-)

I think it had better have access to *something* from the original
transaction, because me giving it my password isn't really the right answer.

It needs a token of some sort to attach to its SOAP request, and then
subject to policy, the IdP could give it a new token with me as the subject
but the sub-process' confirmation key in it. Basic delegation or
impersonation depending on the use case.

If you come up with a way to do this that's sufficiently easier than Liberty
ID-WSF, please let me know.

I believe that I explicitly engineered the AuthnRequest and SAML 2.0 in
general to support this use case. But it doesn't solve it for you without
the extra headache-inducing machinery.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]