OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SAML, trust and WS.

Hi after a better look at the specs and situations,
I can better see the differences between SSO assertion and WS assertion.

My problem though is if I was to implements something like :

WebBrowser to talk to SPA in order to access some ResourceA (which
actually uses some WebServiceA).
SPA trusts IDPA.

Now if I wanted to provide this capability my expectation would be that
when WebBrowser tries to access ResourceA 
a) SPA to do SSO with IDPA and so get an Assertion(SSO).
b) ResourceA  actually now needs to invoke WebServiceA but he now needs
an WS assertion. So he will then need a new Assertion ?

The problem here is how can I bundle this together ? 
If I don't bootstrap from SSO how can I get the WebService Assertion
(SAML Token) ?


-----Original Message-----
From: w i l l [mailto:oasis.saml@javafreelancer.net] 
Sent: 05 December 2005 18:40
To: saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] SAML, trust and WS.

> I think that in most cases the invocation model (parties and
> security context) will be different and that a token generated 
> for browser based SSO will typically be different than a token 
> generated for web service invocation

i think this should be stressed over and over. speaking from my 
own experience, i bet that there are a lot of developers that are 
new to saml, attempting to implement some saml-based security 
system but have not grasped that the saml assertion referred to in 
the simple saml 1.x sso profile is used for a different purpose 
(and in a different context; and using a different delivery 
mechanism/protocol) than a saml assertion used in a wsse:Security 
header.  another thing that us non-experts get easily tripped up 
on i think, is that there are significant differences in what you 
can do with saml 2 compared to what you can do with saml 1.x. in 
the project i am working on, we are constrained to saml 1.1.

the eureka moment didn't come for me until i eventually realized 
that 1) saml on its own only goes so far; and 2) the Liberty 
Alliance and the ws-* stack are two distinct approaches to the 
same problem. the confusing thing is (at least it was for me) the 
fact that they both use ws-security and saml assertions.  if i 
were to advise any newbies out there like myself i would say  
first establish from which context (Liberty or ws-*/saml 1.x or 
saml 2) a given explanation of saml is coming in order to make 
sense of all of the different (often confusing) interpretations 
out there.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]