[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SubjectConfirmation in SAML query
On 2/11/07, Alistair Young <alistair@smo.uhi.ac.uk> wrote: > ok, thanks. So the SP is "client authenticating" the "user" and using > information in the X509 of the user to get their attributes. > > The IdP takes no part in the authentication of the user. > > Presumably the location of the IdP can be inferred from the contents of > the X509. That's the crux of attribute query (section 3), yes, but I was referring to section 4 (self-query). In that case, the principal queries the IdP directly and pushes the resulting attributes to an SP. > This looks interesting for machine to machine as well and passing tokens > between SPs when using web services (sorry!). If an aggregating SP passes > the extended AuthnRequest it constructs to other services it has a > relationship with, those other services can use that AuthnRequest to get > their own attributes. I'm not sure why an SP would pass an AuthnRequest to another SP. Anyway, here's what I had in mind: 1. The principal issues an extended AuthnRequest (with attributes) to the IdP. 2. The IdP returns a signed assertion to the principal. The assertion contains an AuthnStatement and an AttributeStatement. 3. The principal presents the assertion to an SP. 4. The SP makes an access control decision and does the right thing. > The interesting question for me is how to authenticate those other > services at the IdP. If the IdP trusts SP1 then perhaps it could trust > those SPs that SP1 trusts. SP1 signing an AuthnRequest and setting the > AssertionConsumerServiceURL to SP2's service would be interesting for > n-tier machine to machine. This is slightly off topic, but I will mention that a principal wielding an AuthnRequest could ask for multiple SubjectConfirmation elements, one with method 'bearer' to present the assertion to SP1 and another with method 'holder-of-key' so that SP1 could forward the assertion to SP2. Scott suggested this basic approach some time ago, I believe. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]