Re: [saml-dev] SAML, trust and WS.

[Tom Scavo <trscavo@gmail.com>]

On 12/20/05, Scott Cantor <cantor.2@osu.edu> wrote:
>
> 1. C sends authenticated AuthnRequest or WST STR or whatever to IdP to get
> SAML token

Are there implicit assumptions about how C authenticates to the IdP?

> 2. IdP returns SAML token containing a transient ID issued for SPA plus some
> attributes

Right, this works because evidently the target SP is known.  (Not true
in my use case, btw.)

2.5.  User controlling C goes to the coffee shop down the street. 
(While gone, the transient expires.  Since there is no session at the
IdP, the flow starts over at step 1.)

> 3. C sends SOAP request to SPA with SAML token attached (maybe bearer, maybe
> not, doesn't matter)

A synchronous request?

> 4. SPA determines C access using token
>
> 5. SPA sends AuthnRequest or WST STR or whatever to IdP with token from C
> attached with WSS

Assumes much more functionality at the IdP than is available today. 
(Our development platform is Shibboleth 1.3, which is built on top of
SAML 1.1.)

> 6. IdP recovers identity of C from transient ID and if authz, returns new
> SAML token containing a transient for SPB
>
> 7. SPA sends SOAP request to SPB with new SAML token attached (probably HoK)

A synchronous request?

> 8. SPB extracts NameID from token and sends AttributeQuery to IdP
>
> 9. IdP recovers identity of C from transient ID, and maybe returns
> attributes

So where is the SSO in your flow?  If C conducts a search at 8:00am
and then wishes to conduct another search at 11:00am, where in the
flow does the second search begin?

If there is no SSO, then could you elaborate on step 1?  What exactly
do you mean by "C sends authenticated AuthnRequest"?

For the sake of discussion, take the IdP out of the picture.  Today,
is there an installed base of clients authenticating directly to a
metasearch engine?  Are you re-engineering an existing system or
building a system from scratch?

Thanks,
Tom