saml-dev message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [saml-dev] Distributed IDP model
- From: "Cahill, Conor P" <conor.p.cahill@intel.com>
- To: <michael.mccormick@wellsfargo.com>,<saml-dev@lists.oasis-open.org>
- Date: Wed, 9 Aug 2006 13:32:36 -0700
Title: Distributed IDP model
Instead I think what's needed is a lightweight SOAP
request through which a IDP can ask a proxy to generate an assertion/artifact
pair on its behalf. The response would be a SAML artifact. This
request/response should ideally be part of the SAML standard protocols.
I'm not sure how
"lightweight" you can be if you're including all the IdP filled fields that
can be in an assertion (essentially you end up sending over a duplicate of the
structure of an assertion and at that point, why not just use the
assertion format).
Another point I would
like to make is that an awful lot of thought went into the design of the system
in SAML and much of it came from people with experience running large SSO
implementations... we solved many issues related to a well oiled system.
Your question makes me think that you think you can get around many of these
issues by delegating them to some other party; however, I'm not convinced that
this can be satisfactorily accomplished without implementing full SAML betweek
the IdP and the CIA.
For
example:
-
Can the IdP (on it's
own, or at the direction of the user) initiate a logout of the user? If
so you need the SLO
protocols.
-
Similarly, if the RP
initiates a logout, does the IdP find out about it from the
CIA?
-
How does the CIA get
the NameID for the user (and does it get it in plain-text, or does the IdP
already encrypt it for the Relying
Party)?
-
How does the IdP
send out nameID changes (NameID Management) to the Relying Parties (is that
through the CIA as well)?
-
Who keeps track of
an existing authentication session at the Relying Party? The IdP or the
CIA or both?
etc,
etc...
I fear that any
attempt to short circut these kinds of things opens up the potential for the
creation of secutity holes.
As scott said, you can
always treat the CIA as an internal implementation of the IdP (and therefore
ensure that the interfaces exposed by the IdP/CIA fullfill the requirements of
the SSO profile you're trying to
implement).
Conor
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]