[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Looking for feedback on a first SAML implimentation.
> I've been tasked with designing a very simple SSO (single sign-on) process. > My employer has specified that it should be implimented in SAML. I'd like to > create messages that are absolutely as simple as possible while confirming > to the SAML spec. I have a better suggestion, choose an existing implementation and don't try and write your own. Anyone else that has to deal with your deployment will thank you. > The interaction needs to work as follows: > > 1) User requests service from service provider at this point, the service > provider knows nothing about the user. > 2) Service provider requests authentication for user from identity provider Unless there's only one IdP, you've left out the IdP discovery step. > Here's what I think the request should be: You're missing <NameIDPolicy AllowCreate="true"/>, which is almost always needed because AllowCreate unfortunately defaults to false, creating implied, largely useless, limitations on what the IdP can do to respond. Including a Subject is also extremely rare, and including a transient ID in a request is even rarer, borderline unheard of. Otherwise you're pretty close. > Here's what I think the response should be: Your confirmation Method is incorrect, it should be the bearer method. The confirmation data also missing NotOnOrAfter, Recipient, and Address XML attributes, and the assertion is missing an Audience condition. There's also no signature on the response or the assertion, though perhaps that was left implied. All of that speaks to the security of the implementation, so if none of that was clear to begin with, you're on dangerous ground and may need to go back and re-read some of this. > So, again, my questions are: > > 1) Is this a valid SAML interaction? For SSO, no. > 2) Can either the request or response xml be simplified? Not really, you're a ways from the minimum. I'm sure you've read the profile, and I assume core and bindings, but what you need to do is read the sections of the profile that govern AuthnRequest and Response usage and you will find the MUST statements covering what you have to put in them. > 3) Where in the response should I put the subject's email address? In a NameID with the emailAddress Format, or in an Attribute. But I would again urge you to consider choosing an existing solution, commercial or open source, based on your environment's needs and the scale of your deployment requirements. Different options will provide different strengths and weaknesses. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]