Re: [saml-dev] FW: Products and OSS that support SAML2 AssertionXML reuse

["Cantor, Scott E." <cantor.2@osu.edu>]

On 7/14/11 4:41 AM, "Colin Wallis" <Colin.Wallis@dia.govt.nz> wrote:
>
>(5. In our scenario both IDP and STS are co-located. STS validates the
>signature of IDP issued assertion and checks timestamp. If both are valid
>then issues a token for user so that he can be identified at SP2. The
>token contains pseudonymous reference of the user at SP2's resource.)

You can do that, but the proper way is to include additional subject
confirmation and audience conditions into the original assertion that
targets the STS and it simply acts as a standard relying party. You can't
do that properly with an unmodified SSO assertion targeted at one SP.

>Putting aside the fairly complex message flow (which was not the point at
>this moment), does this make more sense about the question of
>'persistence'?

It's standard delegation, and SAML includes support for all of that
without WS-Trust needing to be added. But that aside, yes, you just meant
that you need to have access to the assertion after the login to the SP is
done. I can't tell you what others do, but Shibboleth SPs cache the
assertion and have mechanisms to make them available.

>Our previous questions are related to feasibility of our use case to work
>with SAML2 products. If they allowed the re-use of the original IDP
>issued assertion, then our integration and any customisation work is
>considerably lessened.

Most IdPs will in general NOT issue assertions that can be correctly
reused. That's separate from whether the SP will make it available.

-- Scott