OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?


Hi Folks,

Many thanks for your excellent replies.  Below I have tried to tie together all of the responses.  As you will see, many new questions have arisen.   /Roger

First, recall the scenario:

A user has successfully authenticated to the airline service, has purchased an airplane ticket, and the airline service is now displaying to the user a link to where he can make a car reservation:

                 Need to rent a car?  Click here

The airline can implement the link in two ways:

1. When the user clicks on the link, it results in an unsolicited Authentication Response being sent to the car rental service. 

2. When the user clicks on the link, an ordinary link traversal occurs (no Authentication Response is sent).

Let's explore each of these implementation approaches.
 
1. The Airline Pushes an Unsolicited SAML Authentication Response to the Car Rental Agency
 
In this approach the user makes his way to the car rental service via an indirect route.  Clicking on the link doesn't take him to the car rental service; instead, it takes him back to the airline service.  Here's the link's URL: 

        https://www.AirlineInc.com/IdP/transfer?TARGET=https://www.CarRentalInc.com

Note the query parameter (the param=value pair after the question mark).  
 
The airline service is activated and constructs an Authentication Response XML document.  It then does an HTTP redirect (using the value of the TARGET query parameter), redirecting the user to the car rental service, and attaches the Authentication Response XML document as the payload of the HTTP redirect.
 
QUESTION:  When doing an HTTP redirect, can you add a payload?  I thought a redirect was just altering an HTTP GET URL to a different URL?  Is it really an HTTP redirect that occurs?  I am fuzzy on what happens between the time the user clicks on the link, to the time he arrives at the car rental agencies' service.
 
Recap: the airline service displays to the user a Web page containing a link:

                 Need to rent a car?  Click here
 
When the user clicks on the link it results in going back to the airline service, the service constructs an Authentication Response XML document, and then pushes the user and the Authentication Response XML document to the car rental service. 
 
QUESTION:
 
The car rental service is now being presented with a pair of things:
      - a user, and
      - an unsolicited Authentication Response XML document. 
 
The car rental service is being invoked by an HTTP POST, so the identity of the user is opaque to the car rental service, right?  (There isn't sufficient information in the HTTP header to identify the user, right?) 
 
How does the car rental service know that the Subject in the Authentication Response XML document corresponds to the user? 
 
Now let's discuss the second implementation.
 
2. The Car Rental Agency Authenticates the User via Indexible Referencing
 
With this approach, the airline service's link is a direct URL to the car rental agency:
 
       https://www.CarRentalInc.com
 
When the user clicks on the link, it is an ordinary link traversal (HTTP GET). The result is the car rental service gets activated. 
 
Now, the car rental service has just been presented with a user.  The user is unknown (his identity cannot be gleaned from the HTTP GET header).
 
Scott Cantor described a technology that the car rental service can use to obtain an Authentication Response XML document for the user.  The technology is called indexible referencing.  Here's how it works:
 
The car rental service constructs an Authentication Request XML document.  In this XML document the Subject is identified as "the guy wielding the browser"
 
QUESTION: how is this expressed in a <saml:Subject> element?
 
The Authentication Request XML document is then sent to the user's browser (as a response to his HTTP GET).   The user's browser will receive the Authentication Request XML document and automatically forward [via HTTP POST?]  it to the airline service:
 
       https://www.AirlineInc.com/authentication-request
 
The airline service parses the Authentication Request XML document, and constructs an Authentication Response XML document.  From Scott's email I am not sure what happens next.  Does the airline service send the Authentication Response XML document directly to the car rental service?  Or, does the airline service send the Authentication Response XML document to the user's browser, which then forwards it to the car rental service? 
 
/Roger
 
 
 
 
 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]