[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SAML authentication in N-Tier application
On 3/28/14, 8:03 AM, "Phalguni Mukherjee"
<phalgunimukherjee1007@gmail.com> wrote:>through SP1, Is it possibeto do that, I didn't find a solution to it?
>I have my architecture as follows: I have a service provider SP1 which
>provides SAML based authentication, I have a second service provider SP2
>which provides some service, now I want to authenticate the user for SP2
Assuming you mean you want the user's identity to be part of the security
context at SP2, even though only SP1 is accessing it, that's delegation.
In SAML, you do that as follows:
The original SSO assertion is extended to include a second
SubjectConfirmation that allows SP1 to wield the assertion as a token to
authenticate to the IdP on the user's behalf, and it includes an Audience
restriction identifying the IdP as the relying party. It can be bearer or
holder of key confirmation (or anything, really).
The IdP is extended to support a variant of the Authentication Request
protocol such that the original assertion is supplied in a WS-Security
header as the authentication token for a SOAP-based request. This is an
extension of the ECP profile essentially.
Finally, the response to that ECP request is relayed by SP1 to SP2 and the
assertion contains a delegation restriction condition that identifies SP1
as a delegate of the user. The subject remains the user throughout.
-- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]