[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML newbie question - do cross IdP trusts exist in SAML?
> Hello I'm generally familiar with Kerberos realms. Here is my questions. > What is the equivalent of cross realm trusts in the SAML world - is there > the equivalent of cross IdP trusts Trust in SAML is out of scope and is up to the implementatioons. Most SAML systems are based around PKI, metadata exchange, or a combination of the two for trust management, and are inherently cross-domain. It's possible to implement SAML with symmetric keys and end up with something very like Kerberos, but that's fairly pointless (why not just use Kerberos?). > Does this equivalent exist in SAML? All of the examples I see involve a > user, a single IdP and an SP. You're confusing protocols between two parties with trust fabrics that potentially can encompass hundreds or thousands of parties. And in SAML any exchanges are potentially cross domain because the IdP is the equivalent of the KDC. > In my SAML scenario, there are two IdPs (IdP1 and IdP2) that trust each > other. User X is known by IdP1 and SP Z trusts IdP2. IdP1 and IdP2 trust > each other. That's a proxying scenario. > a) What is the protocol sequence here? Given that SPs refer users to an > IdP, it's like a reverse Kerberos referral model. Would SP refer user X > to IdP2 who in turn refers X to IdP1 which results then in a security > token from IdP1, followed by a security token from IdP2, followed by > access to the resource Yes. > b) If a) is correct, could someone point me to the drafts that do this? It's in core. > c) Do existing SAML toolkits do something like this? Toolkits are not IdPs and SPs, they're raw material for building one. I don't know how common formal proxying is in IdPs. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]