RE: [saml-dev] SAML newbie question - do cross IdP trusts exist in SAML?

["Scott Cantor" <cantor.2@osu.edu>]

> Hello I'm generally familiar with Kerberos realms. Here is my questions.
> What is the equivalent of cross realm trusts in the SAML world - is there
> the equivalent of cross IdP trusts

Trust in SAML is out of scope and is up to the implementatioons. Most SAML
systems are based around PKI, metadata exchange, or a combination of the two
for trust management, and are inherently cross-domain. It's possible to
implement SAML with symmetric keys and end up with something very like
Kerberos, but that's fairly pointless (why not just use Kerberos?).

> Does this equivalent exist in SAML? All of the examples I see involve a
> user, a single IdP and an SP.

You're confusing protocols between two parties with trust fabrics that
potentially can encompass hundreds or thousands of parties. And in SAML any
exchanges are potentially cross domain because the IdP is the equivalent of
the KDC.

> In my SAML scenario, there are two IdPs  (IdP1 and IdP2) that trust each
> other.  User  X is known by IdP1 and  SP  Z trusts IdP2. IdP1 and IdP2
trust
> each other.

That's a proxying scenario.

> a) What is the protocol sequence here? Given that SPs refer users to an
> IdP, it's like a reverse Kerberos referral model.  Would SP refer user X
> to IdP2 who in turn refers X to IdP1 which results then in a security
> token from IdP1, followed by a security token from IdP2, followed by
> access to the resource

Yes.

> b) If a) is correct, could someone point me to the drafts that do this?

It's in core.

> c)  Do  existing SAML toolkits do something like this?

Toolkits are not IdPs and SPs, they're raw material for building one. I
don't know how common formal proxying is in IdPs.

-- Scott