OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Questions related to SAMLv2.0

On Wed, Mar 12, 2014 at 2:32 PM, Security Developer
<security.developer22@gmail.com> wrote:
> 1- How persistent name identifier will be established between IDP and
> multiple SPs when using SAML webSSO profile?

Practically speaking, Persistent NameIDs are created at the IdP and
passed to SPs just-in-time, they are not prearranged in advance.

> 2- When SAML assertion is received by SP. Does it validate the SAML
> assertion locally or it calls the IDP for SAML assertion validation?

Well, it wouldn't make much sense for an IdP to validate its own
assertion. The SP validates the assertion according to the SAML spec.
The SP verifies the signature on the assertion using a key obtained
out-of-band, often via trusted metadata.

> 3- In which request form SAML assertions pass from one SP to another and so
> on in order to achieve webSSO?

In my world, anyway, assertions travel from IdP to SP only. The only
exception is the IdP Proxy (which you can read about in SAML Core). In
that case, the IdP Proxy is both a consumer and producer of
assertions, that is, it is both an SP and an IdP.

Hope this helps,


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]