Re: [saml-dev] SubjectConfirmation in SAML query

["Tom Scavo" <trscavo@gmail.com>]

On 2/11/07, Alistair Young <alistair@smo.uhi.ac.uk> wrote:
> ok, thanks. So the SP is "client authenticating" the "user" and using
> information in the X509 of the user to get their attributes.
>
> The IdP takes no part in the authentication of the user.
>
> Presumably the location of the IdP can be inferred from the contents of
> the X509.

That's the crux of attribute query (section 3), yes, but I was
referring to section 4 (self-query).  In that case, the principal
queries the IdP directly and pushes the resulting attributes to an SP.

> This looks interesting for machine to machine as well and passing tokens
> between SPs when using web services (sorry!). If an aggregating SP passes
> the extended AuthnRequest it constructs to other services it has a
> relationship with, those other services can use that AuthnRequest to get
> their own attributes.

I'm not sure why an SP would pass an AuthnRequest to another SP.
Anyway, here's what I had in mind:

1. The principal issues an extended AuthnRequest (with attributes) to the IdP.
2. The IdP returns a signed assertion to the principal.  The assertion
contains an AuthnStatement and an AttributeStatement.
3. The principal presents the assertion to an SP.
4. The SP makes an access control decision and does the right thing.

> The interesting question for me is how to authenticate those other
> services at the IdP. If the IdP trusts SP1 then perhaps it could trust
> those SPs that SP1 trusts. SP1 signing an AuthnRequest and setting the
> AssertionConsumerServiceURL to SP2's service would be interesting for
> n-tier machine to machine.

This is slightly off topic, but I will mention that a principal
wielding an AuthnRequest could ask for multiple SubjectConfirmation
elements, one with method 'bearer' to present the assertion to SP1 and
another with method 'holder-of-key' so that SP1 could forward the
assertion to SP2.  Scott suggested this basic approach some time ago,
I believe.

Tom