[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SubjectConfirmation in SAML query
ok, thanks. So the SP is "client authenticating" the "user" and using information in the X509 of the user to get their attributes. The IdP takes no part in the authentication of the user. Presumably the location of the IdP can be inferred from the contents of the X509. > All that's needed is an extension > so the requester can ask for a specific set of attributes yes that would be very handy indeed. AttributeConsumingServiceIndex doesn't seem to be of too much use for dynamic attribute requests. This looks interesting for machine to machine as well and passing tokens between SPs when using web services (sorry!). If an aggregating SP passes the extended AuthnRequest it constructs to other services it has a relationship with, those other services can use that AuthnRequest to get their own attributes. The interesting question for me is how to authenticate those other services at the IdP. If the IdP trusts SP1 then perhaps it could trust those SPs that SP1 trusts. SP1 signing an AuthnRequest and setting the AssertionConsumerServiceURL to SP2's service would be interesting for n-tier machine to machine. Alistair -- mov eax,1 mov ebx,0 int 80h > On 2/11/07, Alistair Young <alistair@smo.uhi.ac.uk> wrote: >> > define an AuthnRequest Extension to allow >> > for >> > tunnelling Attributes to use as a query >> can you explain a bit more about this please? What do you mean by >> "tunnelling"? > > A principal can use AttributeQuery to self-query for attributes. See, > for example, section 4 of this deployment profile: > > http://www.oasis-open.org/committees/download.php/21568/sstc-saml2-profiles-deploy-x509-draft-01.pdf > > Scott is suggesting to use AuthnRequest instead of AttributeQuery, > since AuthnRequest is much richer. All that's needed is an extension > so the requester can ask for a specific set of attributes. Then > AuthnRequest will be able to do everything that AttributeQuery can do, > and much more. > > Hope that helps, > Tom >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]