OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Questions related to SAMLv2.0

On 3/12/14, 3:58 PM, "Tom Scavo" <trscavo@gmail.com> wrote:

>On Wed, Mar 12, 2014 at 2:32 PM, Security Developer
><security.developer22@gmail.com> wrote:
>> 1- How persistent name identifier will be established between IDP and
>> multiple SPs when using SAML webSSO profile?
>Practically speaking, Persistent NameIDs are created at the IdP and
>passed to SPs just-in-time, they are not prearranged in advance.

I think maybe the OP is asking about how to avoid them being unique at
every SP. One answer is that you don't use them for that use case, use
something else. Another is the concept of Affiliations from Liberty that
were included in SAML, which group SPs into sets that get the same
identifier from the SP.

>>3- In which request form SAML assertions pass from one SP to another and
>> on in order to achieve webSSO?
>In my world, anyway, assertions travel from IdP to SP only. The only
>exception is the IdP Proxy (which you can read about in SAML Core). In
>that case, the IdP Proxy is both a consumer and producer of
>assertions, that is, it is both an SP and an IdP.

Put another way, SSO in SAML and the protocols it copied and that copy it
is a function of authentication at the IdP, and not of the protocol
itself. SPs don't give each other SSO, using a cookie or certificate to
authenticate to the IdP does.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]