[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] saving saml assertions
> can a SAML authority save SAML assertions so that they can be > retrieved later by someone else (e.g. a relying party) or do > only the subjects save their own assertions? This (the authority saving assertions) is the typical mode of operation when SAML Artifact protocols are used for the assertion delivery operations. So, for example, in the Browser-SSO protocol, the Response message to an AuthnRequest may be sent to the relying party (through the subject's browser) as an Artifact. Later the relying party submits the artifact to the IdP and retrieves the response that includes the assertion. This is a very common model because in many cases the Assertion won't need to be signed (since it is delivered directly from the IdP to the RP over a trusted channel). Note that there's nothing in SAML that says the IdP actually generated the assertion when it sent the artifact to the Relying Party. In many cases, I think the IdP would wait for the artifact resolution call to generate the assertion, but that is all an out-of-scope implementation detail within the IdP. Note also that in the browser SSO protocols, the Subject usually does not save any assertions as they are just funneled through the browser to the RP. In other protocols, such as Liberty's ID-WSF protocols, assertions are delivered to web service consumers for later inclusion in messages to web services and as such are typically managed locally by the web service consumer. However, even there, artifact type objects may be used to pass along references to assertions rather than the assrtions themselves. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]