RE: [saml-dev] I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?

["Cahill, Conor P" <conor.p.cahill@intel.com>]

> Q1: How does the Car Rental Given AuthN info to the Airline.
> A1: One solution that we've considered is to pass the 
> Username around as part of a SAML message, which includes a 
> SAML token as a password surrogate. The Username is plaintext 
> (which may be hacked), but the SAML token is 'encrypted' and 
> not very useful if intercepted.

I don't understand where the separate username comes in when 
you have a SAML token (which in all likelihood include the 
username in the Subject element).

As far as a token being useful or not if intercepted, that will
have a lot more to do with the subject confirmation in the 
assertion than with the fact of it being encrypted or not.  If
a SAML assertion has a "...:bearer" subject confirmation method,
anybody who presents it to the relying party is treated as having
confirmed the subject (even if the assertion is encrypted) and
as such, it needs to be protected from interception.

With respect to the question that Roger had asked, he wanted
to know how the car rental agency would initiate the AuthnRequest
(e.g. before there is a SAML token lying about).

> In addition, the Car Rental and Airline may decide to share 
> Customer databases, so that a Web service (or other method) 
> call with the Username and SAML token can provide validation 
> of the request, as well as collection of Customer attributes 
> from the database.

Web services weren't in the mix in Roger's example, but if you 
wanted to do them, all you need is the SAML token... You don't
need to also pass along the username as it wouldn't be 'trusted'
unless it was also referenced in the SAML assertion in which 
case it would just be duplicate information.

Conor