[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?
Hi Folks, Below I have created a sample Single Sign-on (SSO) scenario. I would appreciate input on whether this scenario is consistent with the SAML methodology. There is one part in this scenario where I am particularly fuzzy about how things would work; I have called attention to that part with "QUESTION". All comments are eagerly welcomed. /Roger Scenario An airline and a rental car agency have decided to create a business relationship for their online services. It is decided that the airline will take care of customer security issues - it will store usernames and passwords, enforce password length and style, as well as how frequently the password must be changed. During an early stage of their business relationship (before going online), the airline informs the rental car agency of the security policy that it will enforce: - Each username must be unique. - A password must be at least 8 characters long, and must contain both uppercase and lowercase letters. - A password must be changed at least once every six months. - Users will be authenticated through the presentation of their username and password over a protected (HTTPS) session. - A user that logs in and is then inactive for more than five minutes will be automatically logged out. The rental car agency agrees to this security policy. The airline creates an XML document which contains all of the aspects of the security policy shown above. The XML document conforms to saml-schema-authn-context-ppt-2.0.xsd, and the XML document is placed at this URL: http://www.AirlineInc.com/authentication-context.xml The airline and the car rental agency then proceed to build their online services. ............. Now the airline and the car rental agency have their online services operational. Let's observe what happens when a user accesses their systems. Let's consider the case where the user is accessing one of the services for the first time. Case 1: The user's first access is to the Airline's service: http://www.AirlineInc.com The user is immediately redirected to this secure URL: https://www.AirlineInc.com The user clicks on the "Register Now" link, which takes him to a secure registration page. He registers a username and password. This information is stored on the airline's web site. Let's assume the user successfully registers. The user then proceeds to purchase an airplane ticket. Upon completion, the airline service provides a link to the car rental agency's service, which the user follows: https://www.CarRentalInc.com Now the user is interacting with the car rental agency's service. To avoid forcing the user the log in again, the car rental service will issue a SAML authentication request to the airline. QUESTION: How does the car rental service identify to the airline the person for which authentication information is requested? All that the car rental service knows is that an HTTP GET was issued to this URL: https://www.CarRentalInc.com I suppose that the car rental service could harvest some information from the HTTP GET header, but likely there isn't enough information in there to identify the user. I am fuzzy about how things would work at this point. Can someone help me? Let's push forward.... Somehow the car rental service is able to gather up enough information about the user and then issues a SAML authentication request to the airline. The authentication request is HTTP POSTed to this URL: https://www.AirlineInc.com/authentication_request The airline service parses the data in the authentication request, and constructs a SAML response XML document. In English, the SAML response says this: "This is in response to authentication request number ______. I successfully processed your request. I assert that the subject _______ (identity of the subject) was authenticated on _______ datetime through the presentation of username and password over a protected session. This assertion is valid from ______ datetime to ______ datetime." This response XML document is then returned in the payload of the response to the original HTTP POST from the car rental service. The car rental service receives the authentication response, parses it to discover that the user has been authenticated by the airline. The car rental agency then welcomes the user (who proceeds to make a car reservation). TaDa! Single Sign-on. Yea! Case 2: The user's first access is not to the Airline's Web site, but rather to the Car Agency's Web site: http://www.CarRentalInc.com I'd like to discuss this on another day. Before venturing into this case, I want to make sure that I understand the above case.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]