OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] FW: Help with what standards support these WebServices calls?


Scenario 1 represents a basic confusion between using SAML as a part of WS Security and using SOAP as a transport for the SAML SP-IdP Protocols.
 
In step 1 & 2 the SP (agency1) can send an Authentication Request and get an Authentication Response. All the SAML protocol information is carried in the SOAP body. The Username token is NOT used.
 
In steps 3 & 4, the SAML Assertion returned above is put in the WS-Security header and used to protect an application request.
 
As someone else noted, WS-Trust could also be used for steps 1 & 2. The main advantage in using WS-Trust vs.. SAML Authn Req is that WS-Trust has a mechanism for conveying a key back to the requestor (corresponding to the key in the Token) which can then be used for message protection and to bind the SAML Assertion to the message contents, assuming Agency 1 & Agency 2 have the necessary cryptographic capabilities. With SAML Authn Req, Holder of Key Subject confirmation cannot be used unless some other means of key distribution is provided.
 
In scenario 2 it is not clear what data is being exchanged between Agency 1 and the Authentication service. It also not clear what the relationship between the 3 different SAML tokens is, i.e. what parties do they refer to?
 
My suspicion is that the real question posed in scenario 2 is "WS-Trust (or WS-Fed) can do X in a certain way. Can SAML do X in the same way or a different way?"
 
Hal
-----Original Message-----
From: Colin Wallis [mailto:Colin.Wallis@dia.govt.nz]
Sent: Friday, February 11, 2011 12:00 AM
To: saml-dev@lists.oasis-open.org; colin_wallis@hotmail.com
Subject: [saml-dev] FW: Help with what standards support these Web Services calls?

Greetings all

 

More help requests from one of our architects..

 

Any thoughts folks? It's a bit minimalist, I know. I might ask for some more context..

 

(It strikes me as the same question as a few weeks ago, but asked in a different way…However, see what you think…)

 

Cheers

Colin

…………………………………………………………………………………………………………………………………………………..

We got couple of scenarios through back channel web service calls.

 

I would like to know what messaging standards rest of world follows for these scenarios;

 

 

Scenario 1:  No data exchange of communication.

 

 

Scenario 2: Agency and authentication service exchange data before obtaining token for agency 2

 

 

 

Thanks

Venkat

====
CAUTION:  This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you.
====


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]