OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SAML, trust and WS.

   >...If I understood it right this Token is used as part of a 
WS-security message to authenticate (and possibly authorize) a 

a security token isn't used "to authenticate" a user - as such. in 
the context that you have described, the user was already 
authenticated at some earlier point in time by some means or 
another (according to some  security policy). the "Asserting 
Party" (or "Security Token Service" or "IdP") then generates the 
security token which sort of describes the outcome of an 
authentication attemp. then the token is made available somehow to 
the user/client. the user/client would then present the token to 
the service provider. effectively, what the security token says to 
the service provider is:

  "...dear service provider, the subject that this authentication 
statement refers to has been authenticated (somehow; at some 
point) and this-or-that asserting party (or STS or IdP) is a 
witness to that. the asserting party's signature is included below 
as proof that you can trust the claim being made in this here 

at least, that is how i see it. i would be grateful to hear some 
expert feedback on my interpretation.

On Mon Dec 05 03:23:37 PST 2005, Giuseppe Sarno 
<gsarno@nortel.com> wrote:

> Hi,
> moving on Web service investigation and security I came across at 
> the
> SAML token profile.
> If I understood it right this Token is used as part of a 
> WS-security
> message to authenticate (and possibly authorize) a user.
> The use case I have seen is the following: UserA gets a SAML 
> assertion (related to himself). Then includes the Assertion as a 
> Token in the WS-se message to the
> Service A
> The things are not fully clear are the following:
> Where the user gets the Assertion from ? IDP ?  In the federated
> example/SSO it was clear what the relationship between 
> user/SP/IDP was.
> with the Wsse I kind of don't get the full picture.
> The Service somehow will have to trust the Asserting party even 
> though
> in different trust domains ? Or this means that the user can only 
> be
> authenticated in his trust domain ?
> The SAML message will need to contain all the information 
> necessary to
> the Service A to make the decision. I mean Service A don't need 
> to go
> somewhere else to check that the assertion is valid as he has got 
> all
> the info he requires. I guess it's here where subject 
> confirmation might
> come in place ?
> I hope the info in the question is clear enough, otherwise don't
> hesitate to ask for any farther details.
> Thanks.
> Giuseppe.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]