[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML, trust and WS.
> Could the Saml Token be used together with the SSO profile ? There is currently no profile for doing this. In SAML 2.0, it is at least reasonable to consider doing so. In SAML 1.1, the SSO assertion was short-lived. > Browser/client tries to access Resource A on SPA. > The SPa uses the SSo profile to authenticate the User and is > going to get back an assertion. > It (if policy applies) will grant access to Resource A which > actually is aclient for a Web Service B. > resource A on SPA could use WS- or Liberty profile now to > access that Web Service using the SAML assertion? > > does this picture make sense to you or what is missing ? What's missing is defining the contents of the assertion, the rules for using it, and the way that you can get the IdP to put the right stuff in up front. Liberty doesn't specifically define this particular usage scenario at the moment, it generally assumes that SPa uses the SSO token to go back to a discovery/token service and get a new token for SPb. I've done some work on defining delegation tokens that would compose with the SSO profile, but it's not really clear that it's a better approach, since the Liberty model is simpler from a privacy point of view. But conceptually it works, you just have to put a holder of key SC in the token with SPa's key in it. But you also have to encrypt data sufficiently to prevent information leaking to SPb if it was only for SPa. If your web services scenario is simple enough to rely on a single universal identifier, it's often simple enough that it doesn't need all this stuff anyway. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]