Recap: the airline service displays to the user a
Web page containing a link:
Need to rent a car? Click here
When the user clicks on the link it results in
going back to the airline service, the service constructs an
Authentication Response XML document, and then pushes the user and the
Authentication Response XML document to the car rental service.
QUESTION:
The car rental
service is now being presented with a pair of things:
- a user, and
- an unsolicited Authentication
Response XML document.
The car
rental service is being invoked by an HTTP POST, so the identity of the
user is opaque to the car rental service, right? (There isn't sufficient
information in the HTTP header to identify the user,
right?)
How does the car
rental service know that the Subject in the Authentication Response XML
document corresponds to the user?
Now let's discuss the second
implementation.
2. The Car Rental Agency Authenticates the
User via Indexible Referencing
With this approach, the airline service's link is a
direct URL to the car rental agency:
When the user clicks on the link, it is an
ordinary link traversal (HTTP GET). The result is the car rental service gets
activated.
Now, the car rental service has just been presented
with a user. The user is unknown (his identity cannot be gleaned from
the HTTP GET header).
Scott Cantor described a technology that the car
rental service can use to obtain an Authentication Response XML document for the
user. The technology is called indexible referencing. Here's how it
works:
The car rental service constructs an
Authentication Request XML document. In this XML document the Subject is
identified as "the guy wielding the browser"
QUESTION: how is this expressed in a
<saml:Subject> element?
The Authentication Request XML document is then
sent to the user's browser (as a response to his HTTP
GET). The user's browser will receive the Authentication Request XML
document and automatically forward [via HTTP POST?] it to the airline
service:
The airline service parses the Authentication
Request XML document, and constructs an Authentication Response XML
document. From Scott's email I am not sure what happens next. Does
the airline service send the Authentication Response XML document directly to
the car rental service? Or, does the airline service send the
Authentication Response XML document to the user's browser, which then forwards
it to the car rental service?
/Roger