OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] FW: SAML 2.0 Authentication Request Questions



One of the issues you have is the subject confirmation domain of the assertion received back by the Service Agency in step 4.   A typical SAML IDP would generate an assertion for the Service Agency, not for your Assertion Service SAML IDP (ASSI).  So first step would be to get an assertion in step 4 that was usable at both the Service Agency and ASSI (or have a way for the Service Agency to ask the Login Service SAML IDP for an assertion for the ASSI – such as the Liberty IDWSF Discover Service or Authentication Service).


Once Service Agency has an authentication Assertion for the ASSI, you could handle step 5 in two steps and be fully within the standard:

·         Service Agency sends unrequested AuthnResponse with assertion to Assertion consumer URL at ASSI.  

·         ASSI processes the assertion and creates “authentication Session” associated with that assertion and returns handle (e.g. as a cookie)

·         Service Agency sends AuthnRequest for attributes containing said handle and the ASSI process said request.

·         ASSI Sends response with assertion and attributes.


The 2nd stage of this could probably more easily be handled with an AttributeQuery than AuthnRequest since that is actually what you are doing (as far as I can tell).




From: Colin Wallis [mailto:Colin.Wallis@dia.govt.nz]
Sent: Friday, June 01, 2012 12:21 AM
To: 'Tom Scavo'
Cc: saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] FW: SAML 2.0 Authentication Request Questions


Yea, we screwed up our elements in Request and Response somewhat..sorry ... :-)




1) Is there any element to pass the SAML Assertions received in step 4, inside SAML AuthnRequest in step 5 other than extension element?

2) The attribute nametypes (name, DoB, gender etc) returned in step 7 will be a URI inside  <AuthnContextClassRef> element.


Any clearer?










-----Original Message-----
From: Tom Scavo [mailto:trscavo@gmail.com]
Sent: Friday, 1 June 2012 1:06 a.m.
To: Colin Wallis
Cc: saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] FW: SAML 2.0 Authentication Request Questions


On Thu, May 31, 2012 at 1:41 AM, Colin Wallis <Colin.Wallis@dia.govt.nz> wrote:


> 1.    Can we use <AuthnContextDecl> element to pass SAML authentication

> assertion in the authentication request to the assertion service?


The <AuthnContextDecl> element is a child element of <AuthnContext> in

the response, not the request, so I'm not sure what you mean...


> 2.    Can we use <AuthnContextClassRef> element to pass attribute names in

> the authentication request to the assertion service?


By reference? To what?


Sorry I can't be of more help, perhaps you can clarify your questions

a bit more.






CAUTION:  This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]