OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Authentication on IDP.

Sorry for the delay in response... was out of touch yesterday (and will be again later today).

Giuseppe Sarno wrote on 11/2/2005, 9:44 AM:

    • do we have 1 certificate for all the request at the IDP ? IMPORTANT: but then how the IDP (and in the end the SP) distinguish which user is that request from?
User A access SPA.
SPA redirect to IDP asking for a Certificate based authentication.
IDP perform this but (unless I'm wrong) the certificate wouldn't contain any info specific to the user but mainly keys info.
in this case the IDP has to also identify the user in order to reply with a subject to the SP. I guess it would perform a Userid/password (basic auth)
I guess this is reasonable to expect from the IDP.
This is out of scope for SAML, but I'm guessing that most IdPs will either a) have a certificate registered for a particular user  or b) they will have a requirement that user identity information be present in the signed certificate (this is  how many web sites do client-auth ssl). 

The certificate is usually enough to identify the user (assuming it was an individually issued certificate).

Of course, there is nothing that stops an IdP from doing exactly what you are descrbing (in fact, I *think*many VPN clients do this kind of thing (where the client authenticates to the server using a client cert that is the same for many users and then the user authenticates ontop of that communciations channel)).
Now What is the Auth context he is going to send back ?  
    Certificate based authentication ?
    User Id/ password ?
    or both ?
I'm guessing that if the IdP were to do what you are describing, they would define a new class that was along the lines of ...PasswordClientTLS (what I would consider to be "stronger" than ...PasswordProtectedTransport).

Although, like I said earlier, I would expect that the certificate alone would be good enough.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]