[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SAML authentication in N-Tier application
On 3/28/14, 8:03 AM, "Phalguni Mukherjee" <phalgunimukherjee1007@gmail.com> wrote: >I have my architecture as follows: I have a service provider SP1 which >provides SAML based authentication, I have a second service provider SP2 >which provides some service, now I want to authenticate the user for SP2 >through SP1, Is it possibeto do that, I didn't find a solution to it? Assuming you mean you want the user's identity to be part of the security context at SP2, even though only SP1 is accessing it, that's delegation. In SAML, you do that as follows: The original SSO assertion is extended to include a second SubjectConfirmation that allows SP1 to wield the assertion as a token to authenticate to the IdP on the user's behalf, and it includes an Audience restriction identifying the IdP as the relying party. It can be bearer or holder of key confirmation (or anything, really). The IdP is extended to support a variant of the Authentication Request protocol such that the original assertion is supplied in a WS-Security header as the authentication token for a SOAP-based request. This is an extension of the ECP profile essentially. Finally, the response to that ECP request is relayed by SP1 to SP2 and the assertion contains a delegation restriction condition that identifies SP1 as a delegate of the user. The subject remains the user throughout. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]