OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] AuthnRequest usage - 'recognize' principal

The other purpose of this element was for re-authentication in the middle of a session:  where the SP had already received an assertion from the IdP, but for whatever policy reasons -- including approaching the end of the SessionNotOnOrAfter timeframe on the AuthnStatement, or a change in the authentication requirements due to access to more restricted resources -- has decided that they need to re-authenticate the user.   

In this case the SP wants to make sure that the user that is continuing the session is the same one that started the session.

This situation can apply to web SSO.


-----Original Message-----
From: Cantor, Scott [mailto:cantor.2@osu.edu] 
Sent: Friday, August 02, 2013 10:21 AM
To: Lucas, Mike; saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] AuthnRequest usage - 'recognize' principal

On 8/2/13 9:40 AM, "Lucas, Mike" <Mike.Lucas@gwl.ca> wrote:

>In the case where we are acting as the identity provider, we were 
>planning on accepting the Subject name (userid onService Provider 
>system) and just logging it for audit/debugging purposes. Wedon¹t have 
>any way to verify that the user is actually that user, but wedo trust 
>the contents of the AuthnRequest­ soif the Service Provider says that¹s 
>the principal we believe them (it¹s  their user).

No, it's your user too. If not, how could you be authenticating them?

As Conor said, if you don't have a way to map from the Subject to a principal in your system, you MUST fail the request. And unless the SP has a good reason for specifying Subject, it shouldn't do so.

You don't have to return the exact same Subject, just a Subject that represents the same principal in your system, and that meets the requested NameIDPolicy, if any.

The point of a Subject element there is to provide a round trip guarantee about the user identity to match back to something the SP has determined, and as a minimal sort of NameID Mapping capability during SSO.

The primary purpose of that element is not for Web SSO, it's for stand alone token request use cases.

-- Scott

To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]