[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?
> QUESTION: How does the car rental service identify to the airline the > person for which authentication information is requested? All that the > car rental service knows is that an HTTP GET was issued to this URL: > > https://www.CarRentalInc.com I might have missed it, but I never saw a direct answer to this. A technical term for this that's sometimes used is "indexical reference". The reason it works is that the AuthnRequest is sent back to the browser in response to the GET and it's the browser that sends it to the IdP via GET or POST. The reference is to "that guy wielding the browser", and the whole thing is "secured" using bearer semantics. The SP and IdP understand implicitly that the messages being passed refer to the browser accessing them. They tunnel the rest of what they do (password collection, session state, SAML messages) inside the HTTP messages exchanged. This is just one adaptation of SAML to do something. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]