OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?

Hi Folks,

Below I have created a sample Single Sign-on (SSO) scenario.  I would
appreciate input on whether this scenario is consistent with the SAML
methodology.  There is one part in this scenario where I am
particularly fuzzy about how things would work; I have called attention
to that part with "QUESTION".  All comments are eagerly welcomed.


An airline and a rental car agency have decided to create a business
relationship for their online services.  It is decided that the airline
will take care of customer security issues - it will store usernames
and passwords, enforce password length and style, as well as how
frequently the password must be changed.

During an early stage of their business relationship (before going
online), the airline informs the rental car agency of the security
policy that it will enforce:

- Each username must be unique.
- A password must be at least 8 characters long, and must
  contain both uppercase and lowercase letters.
- A password must be changed at least once every six months.
- Users will be authenticated through the presentation of
  their username and password over a protected (HTTPS)
- A user that logs in and is then inactive for more than
  five minutes will be automatically logged out.

The rental car agency agrees to this security policy.  

The airline creates an XML document which contains all of the aspects
of the security policy shown above.  The XML document conforms to
saml-schema-authn-context-ppt-2.0.xsd, and the XML document is placed
at this URL:

The airline and the car rental agency then proceed to build their
online services.


Now the airline and the car rental agency have their online services
operational.  Let's observe what happens when a user accesses their

Let's consider the case where the user is accessing one of the services
for the first time.  

Case 1: The user's first access is to the Airline's service:


The user is immediately redirected to this secure URL: 


The user clicks on the "Register Now" link, which takes him to a secure
registration page.  He registers a username and password.  This
information is stored on the airline's web site.

Let's assume the user successfully registers.  The user then proceeds
to purchase an airplane ticket.  Upon completion, the airline service
provides a link to the car rental agency's service, which the user


Now the user is interacting with the car rental agency's service.  To
avoid forcing the user the log in again, the car rental service will
issue a SAML authentication request to the airline. 

QUESTION: How does the car rental service identify to the airline the
person for which authentication information is requested?  All that the
car rental service knows is that an HTTP GET was issued to this URL:


I suppose that the car rental service could harvest some information
from the HTTP GET header, but likely there isn't enough information in
there to identify the user.  I am fuzzy about how things would work at
this point.  Can someone help me?

Let's push forward....

Somehow the car rental service is able to gather up enough information
about the user and then issues a SAML authentication request to the
airline.  The authentication request is HTTP POSTed to this URL: 


The airline service parses the data in the authentication request, and
constructs a SAML response XML document.  In English, the SAML response
says this:

"This is in response to authentication request number ______.  
I successfully processed your request.  I assert that the subject
_______ (identity of the subject) was authenticated on _______ datetime
through the presentation of username and password over a protected
session.  This assertion is valid from ______ datetime to ______

This response XML document is then returned in the payload of the
response to the original HTTP POST from the car rental service.

The car rental service receives the authentication response, parses it
to discover that the user has been authenticated by the airline.

The car rental agency then welcomes the user (who proceeds to make a
car reservation).  

TaDa!  Single Sign-on.  Yea!

Case 2: The user's first access is not to the Airline's Web site, but
rather to the Car Agency's Web site: 


I'd like to discuss this on another day.  Before venturing into this
case, I want to make sure that I understand the above case.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]