[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Looking for feedback on a first SAML implimentation.
> I've been tasked with designing a very simple SSO (single sign-on)I have a better suggestion, choose an existing implementation and don't try
process.
> My employer has specified that it should be implimented in SAML. I'd like
to
> create messages that are absolutely as simple as possible while confirming
> to the SAML spec.
and write your own. Anyone else that has to deal with your deployment will
thank you.
Unless there's only one IdP, you've left out the IdP discovery step.
> The interaction needs to work as follows:
>
> 1) User requests service from service provider at this point, the service
> provider knows nothing about the user.
> 2) Service provider requests authentication for user from identity
provider
You're missing <NameIDPolicy AllowCreate="true"/>, which is almost always
> Here's what I think the request should be:
needed because AllowCreate unfortunately defaults to false, creating
implied, largely useless, limitations on what the IdP can do to respond.
Including a Subject is also extremely rare, and including a transient ID in
a request is even rarer, borderline unheard of. Otherwise you're pretty
close.
Your confirmation Method is incorrect, it should be the bearer method. The
> Here's what I think the response should be:
confirmation data also missing NotOnOrAfter, Recipient, and Address XML
attributes, and the assertion is missing an Audience condition. There's also
no signature on the response or the assertion, though perhaps that was left
implied.
All of that speaks to the security of the implementation, so if none of that
was clear to begin with, you're on dangerous ground and may need to go back
and re-read some of this.
For SSO, no.
> So, again, my questions are:
>
> 1) Is this a valid SAML interaction?
Not really, you're a ways from the minimum.
> 2) Can either the request or response xml be simplified?
I'm sure you've read the profile, and I assume core and bindings, but what
you need to do is read the sections of the profile that govern AuthnRequest
and Response usage and you will find the MUST statements covering what you
have to put in them.
In a NameID with the emailAddress Format, or in an Attribute.
> 3) Where in the response should I put the subject's email address?
But I would again urge you to consider choosing an existing solution,
commercial or open source, based on your environment's needs and the scale
of your deployment requirements. Different options will provide different
strengths and weaknesses.
-- Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]