RE: [saml-dev] Authentication on IDP.

["Conor P. Cahill" <concahill@aol.com>]

Sorry for the delay in response... was out of touch yesterday (and will
be again later today).

Giuseppe Sarno wrote on 11/2/2005, 9:44 AM:

• do we have 1 certificate for all the request at the IDP ? IMPORTANT: but then how the IDP (and in the end the SP) distinguish which user is that request from?

User A access SPA.

SPA redirect to IDP asking for a Certificate based authentication.

IDP perform this but (unless I'm wrong) the certificate wouldn't contain any info specific to the user but mainly keys info.

in this case the IDP has to also identify the user in order to reply with a subject to the SP. I guess it would perform a Userid/password (basic auth)

authentication.

I guess this is reasonable to expect from the IDP.

This is out of
scope for SAML, but I'm guessing that most IdPs will either a) have a
certificate registered for a particular user  or b) they will have a
requirement that user identity information be present in the signed
certificate (this is  how many web sites do client-auth ssl).  

The certificate is usually enough to identify the user (assuming it was
an individually issued certificate).

Of course, there is nothing that stops an IdP from doing exactly what
you are descrbing (in fact, I *think*many VPN clients do this kind of
thing (where the client authenticates to the server using a client cert
that is the same for many users and then the user authenticates ontop
of that communciations channel)).

Now What is the Auth context he is going to send back ?  

    Certificate based authentication ?

    User Id/ password ?

    or both ?

I'm guessing that
if the IdP were to do what you are describing, they would define a new
class that was along the lines of ...PasswordClientTLS (what I would
consider to be "stronger" than ...PasswordProtectedTransport).

Although, like I said earlier, I would expect that the certificate
alone would be good enough.

Conor