OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SAML, trust and WS.

> Could the Saml Token be used together with the SSO profile ? 

There is currently no profile for doing this. In SAML 2.0, it is at least
reasonable to consider doing so. In SAML 1.1, the SSO assertion was

> Browser/client  tries to access Resource A on SPA.
> The SPa uses the SSo profile to authenticate the User and is 
> going to get back an assertion.
> It (if policy applies) will grant access to Resource A which 
> actually is  aclient for a Web Service B.
> resource A on SPA could use WS- or Liberty profile now to 
> access that Web Service using the SAML assertion? 
> does this picture make sense to you or what is missing ?

What's missing is defining the contents of the assertion, the rules for
using it, and the way that you can get the IdP to put the right stuff in up
front. Liberty doesn't specifically define this particular usage scenario at
the moment, it generally assumes that SPa uses the SSO token to go back to a
discovery/token service and get a new token for SPb.

I've done some work on defining delegation tokens that would compose with
the SSO profile, but it's not really clear that it's a better approach,
since the Liberty model is simpler from a privacy point of view.

But conceptually it works, you just have to put a holder of key SC in the
token with SPa's key in it. But you also have to encrypt data sufficiently
to prevent information leaking to SPb if it was only for SPa.

If your web services scenario is simple enough to rely on a single universal
identifier, it's often simple enough that it doesn't need all this stuff

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]