OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Non-web client authentication

I don't know how you can say that you don't trust an
application running on the user's computer since that
application, if it was a bad guy, could do pretty much
anything on the computer including replacing the browser
with their own thing that looks like a browser.  On 
top of that, the application, once it gets the user 
signed in, is trusted to do the right thing for the user.

That said, the probably easiest thing to do would be for
your application to act as a local web server and do
an authen request to the IdP with a response going to
localhost:theportyourlistening to.  Then your client
could just act as an SP speaking to the IdP through
the browser SSO profile.


> -----Original Message-----
> From: Andreas Åkre Solberg [mailto:Andreas.Solberg@uninett.no] 
> Sent: Friday, March 03, 2006 9:29 AM
> To: saml-dev@lists.oasis-open.org
> Subject: [saml-dev] Non-web client authentication
> I need an authentication profile for clients that are not web-based.  
> In our architecture we cannot trust applications to handle 
> principal's credentials.
> We are planning to implement some compromise between user 
> comfort and user credential privacy. Here are an outline of 
> what we will do:
> The application must initiate a authentication session with 
> the identity provider. It gets an session key back. (and an 
> url to open to the user) The application launches a browser 
> with the given URL including the session key.
> The user must presents his credentials at the web page.
> The identity provider login portal tells the user that he is 
> successfully authenticated and should return the application X.
> The user clicks OK in the application signalling that 
> authentication is performed.
> The application sends a request to the identity provider with 
> the session key asking if the user is successully authenticated.
> The application gets back a response that the user is 
> successully authenticated, and may be some user attributes.
> 	The protocol between the application and the IdP is SAML.
> Here are some old draft with more details, but somewhat outdated:
> http://domen.uninett.no/~andreas/FEIDE/nonweb-profile.html
> Are there anyone who have standardised something like this. 
> And if not is there any interest of doing so within oasis. If 
> not are there any other forum that could be interested - Liberty?
> I would think that there should be several others that have 
> the same problems that we have, and have implemented it 
> somehow, please point us in direction of other similar approaches.
> Kind regards
> Andreas.
> --
> Andreas Åkre Solberg
> Andreas.Solberg@uninett.no
> UNINETT - http://uninett.no
> Contact Info and PGP Public Key:
> http://andreas.solweb.no/?Account=Work

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]