[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Authentication on IDP.
-----Original Message-----
From: Sarno, Giuseppe [MOP:GM15:EXCH]
Sent: 31 October 2005 16:23
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Authentication on IDP.Hi,
I'm trying to understand how the IDP knows what credential to apply in case of authentication challenge in a SSO scenario.Pricipal seen as USER_A on SPA and USER_B on SPB and USER_IDP on IDP
SPA initiated:
SPA redirect (for example) authrequest to IDP indicating that the AuthContext_A AuthContext should be applied to the user.Question 1:
in case Context_A = userId/password, what user Id should be used ?
The one known at the IDP (USER_IDP) (which means we can only use the user identifier at the IDP for that circle of trust)or (in case the ID has the knowledge) could actually use the USER_A as known at SPA.
SPB Initiated
Quetion 2:
in case of Context_B = again where the IDP gets the certificate from ?
- do we have 1 certificate for all the request at the IDP ? IMPORTANT: but then how the IDP (and in the end the SP) distinguish which user is that request from?
- IMPORTANT: should the request in this case also include a userid/passowrd request ? I guess from what I've seen SAML cannot apply 2 Auth mechanisms at the same time (can it ?). which means SPB would need to re-ask for authentication, but I don't know if this would work. Any idea ?
- Does the IDP have different certificates per SP? again the authrequest or MetaData seem not providing this distinction.
Sorry again for the many questions I'm straggling going through the specs and get those sort of question answered.
Giuseppe.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]