OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?

My Two Cents:

Q1: How does the Car Rental Given AuthN info to the Airline.
A1: One solution that we've considered is to pass the Username around as
part of a SAML message, which includes a SAML token as a password
surrogate. The Username is plaintext (which may be hacked), but the SAML
token is 'encrypted' and not very useful if intercepted.

In addition, the Car Rental and Airline may decide to share Customer
databases, so that a Web service (or other method) call with the
Username and SAML token can provide validation of the request, as well
as collection of Customer attributes from the database.

Q2 Implied: How about reciprocity ?
A2: If a Legal Trust agreement is set in place (and many major online
companies already use these types of agreements within their proprietary
systems), then I believe that my description above, will work
bi-drectionally... And could fit multi-directions in a network

Another Option: Given that there are certain restrictions to proprietary
Information, a 3rd Party Bridge could be established, and both the Car
Rental and AirLine could agree to host the Customer Information (or just
the Authentication server) on the 3rd Party host.... With appropriate
changes to the scenario from there.

[I can fill out the scenario, but I don't know how far into the details
that I'm qualified to dive.]

- Hank Simon

-----Original Message-----
From: Costello, Roger L. [mailto:costello@mitre.org] 
Sent: Tuesday, May 09, 2006 1:14 PM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] I have created a sample SSO scenario; Am I
understanding correctly how SAML is to be used?

Hi Folks,

Below I have created a sample Single Sign-on (SSO) scenario.  I would
appreciate input on whether this scenario is consistent with the SAML
methodology.  There is one part in this scenario where I am particularly
fuzzy about how things would work; I have called attention to that part
with "QUESTION".  All comments are eagerly welcomed.


An airline and a rental car agency have decided to create a business
relationship for their online services.  It is decided that the airline
will take care of customer security issues - it will store usernames and
passwords, enforce password length and style, as well as how frequently
the password must be changed.

During an early stage of their business relationship (before going
online), the airline informs the rental car agency of the security
policy that it will enforce:

- Each username must be unique.
- A password must be at least 8 characters long, and must
  contain both uppercase and lowercase letters.
- A password must be changed at least once every six months.
- Users will be authenticated through the presentation of
  their username and password over a protected (HTTPS)
- A user that logs in and is then inactive for more than
  five minutes will be automatically logged out.

The rental car agency agrees to this security policy.  

The airline creates an XML document which contains all of the aspects of
the security policy shown above.  The XML document conforms to
saml-schema-authn-context-ppt-2.0.xsd, and the XML document is placed at
this URL:

The airline and the car rental agency then proceed to build their online


Now the airline and the car rental agency have their online services
operational.  Let's observe what happens when a user accesses their

Let's consider the case where the user is accessing one of the services
for the first time.  

Case 1: The user's first access is to the Airline's service:


The user is immediately redirected to this secure URL: 


The user clicks on the "Register Now" link, which takes him to a secure
registration page.  He registers a username and password.  This
information is stored on the airline's web site.

Let's assume the user successfully registers.  The user then proceeds to
purchase an airplane ticket.  Upon completion, the airline service
provides a link to the car rental agency's service, which the user


Now the user is interacting with the car rental agency's service.  To
avoid forcing the user the log in again, the car rental service will
issue a SAML authentication request to the airline. 

QUESTION: How does the car rental service identify to the airline the
person for which authentication information is requested?  All that the
car rental service knows is that an HTTP GET was issued to this URL:


I suppose that the car rental service could harvest some information
from the HTTP GET header, but likely there isn't enough information in
there to identify the user.  I am fuzzy about how things would work at
this point.  Can someone help me?

Let's push forward....

Somehow the car rental service is able to gather up enough information
about the user and then issues a SAML authentication request to the
airline.  The authentication request is HTTP POSTed to this URL: 


The airline service parses the data in the authentication request, and
constructs a SAML response XML document.  In English, the SAML response
says this:

"This is in response to authentication request number ______.  
I successfully processed your request.  I assert that the subject
_______ (identity of the subject) was authenticated on _______ datetime
through the presentation of username and password over a protected
session.  This assertion is valid from ______ datetime to ______

This response XML document is then returned in the payload of the
response to the original HTTP POST from the car rental service.

The car rental service receives the authentication response, parses it
to discover that the user has been authenticated by the airline.

The car rental agency then welcomes the user (who proceeds to make a car

TaDa!  Single Sign-on.  Yea!

Case 2: The user's first access is not to the Airline's Web site, but
rather to the Car Agency's Web site: 


I'd like to discuss this on another day.  Before venturing into this
case, I want to make sure that I understand the above case.

This publicly archived list supports open discussion on implementing the
SAML OASIS Standard. To minimize spam in the archives, you must
subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Alternately, using email: list-[un]subscribe@lists.oasis-open.org
List archives: http://lists.oasis-open.org/archives/saml-dev/
Committee homepage: http://www.oasis-open.org/committees/security/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Join OASIS: http://www.oasis-open.org/join/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]