OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] SAML, trust and WS.


Thanks for you comments all. Hand waving it certainly is! Don't want to
expend too much effort until it's clear whether such a setup is required.

Scott's example is for SPa to request something from an IdP for another
entity down the line. So the IdP has to keep generating transients.

I don't like this. It's not "compact" enough for me. I just like the idea
of each SP taking care of it's own requirements.

Tom - I'm not sure what you mean by the NameIdentifier issue.

Off to think some more.

Alistair

-- 
Alistair Young
Senior Software Engineer
UHI@Sabhal Mr Ostaig
Isle of Skye
Scotland

>> - The basic thrust of the whitepaper seems to be attribute pull vs.
>> push.  If you're going to advocate pull, you're going to have to deal
>> with the name identifier issue.
>
> I've done plenty of flow mock-ups involving multiple tiers and I never
> needed anything special. Transients simplify things (avoids the need for
> encryption), but ultimately anything works. You claim they don't (on other
> lists) but without any actual reasoning that I've seen nor accept.
>
> As an example that doesn't involve a browser...
>
> C = desktop client that issues searches via SOAP
> IdP = IdP (duh)
> SPA = metasearch engine
> SPB = repository
>
> 1. C sends authenticated AuthnRequest or WST STR or whatever to IdP to get
> SAML token
>
> 2. IdP returns SAML token containing a transient ID issued for SPA plus
> some
> attributes
>
> 3. C sends SOAP request to SPA with SAML token attached (maybe bearer,
> maybe
> not, doesn't matter)
>
> 4. SPA determines C access using token
>
> 5. SPA sends AuthnRequest or WST STR or whatever to IdP with token from C
> attached with WSS
>
> 6. IdP recovers identity of C from transient ID and if authz, returns new
> SAML token containing a transient for SPB
>
> 7. SPA sends SOAP request to SPB with new SAML token attached (probably
> HoK)
>
> 8. SPB extracts NameID from token and sends AttributeQuery to IdP
>
> 9. IdP recovers identity of C from transient ID, and maybe returns
> attributes
>
> etc.
>
> Works across however many hops you want. The trick is defining the
> messages
> and what goes in the tokens. The identifier part of it is trivial because
> only the IdP cares about them, unless you want a more persistent
> identifier,
> which is no different than any other attributes.
>
> -- Scott
>
>
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on implementing the
> SAML OASIS Standard. To minimize spam in the
> archives, you must subscribe before posting.
>
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/saml-dev/
> Committee homepage: http://www.oasis-open.org/committees/security/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/
>
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]