OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Any 3 leg profile?

On 2/27/13 12:00 PM, "Will Hartung" <willh@mirthcorp.com> wrote:

>By 3 leg I mean client authenticates with IdP, gets Token, client then
>makes request to SP with Token, that the SP verifies/accepts Token and
>delivers the service.
>Is there another term of art for this?

Hmm, that sounds like basic SSO to me. SAML has always had that.

>We're looking for "more SAML than not" solution, since we're not
>really motivated to actually use OAuth for this (which the SAML Bearer
>Assertion Profile is). We can always hand craft something, but if
>there's already been work that we can adopt, that would be better.

I think you probably want to look at ECP then, if the problem is that the
client's not a browser. In its pure form, it still relies on a server
challenge to get the flow going, but there are ways to supplement that,
and frankly, it's not clear a challenge from the server isn't a good model
anyway, since it allows for RP influence over token characteristics.

By three-legged, I assumed you meant client talking to server talking to
back-end service on behalf of client, i.e. delegation. Which I have also
used ECP to model, but it's a more complex scenario with more
supplementary specs.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]