OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SAML authentication in N-Tier application

My SP2 is a web application, that provide web page based interface,is delegation work in that case as well?

On Fri, Mar 28, 2014 at 7:44 PM, Cantor, Scott <cantor.2@osu.edu> wrote:
On 3/28/14, 8:03 AM, "Phalguni Mukherjee"
<phalgunimukherjee1007@gmail.com> wrote:

>I have my architecture as follows: I have a service provider SP1 which
>provides SAML based authentication, I have a second service provider SP2
>which provides some service, now I want to authenticate the user for SP2
>through SP1, Is it possibeto do that, I didn't find a solution to it?

Assuming you mean you want the user's identity to be part of the security
context at SP2, even though only SP1 is accessing it, that's delegation.

In SAML, you do that as follows:

The original SSO assertion is extended to include a second
SubjectConfirmation that allows SP1 to wield the assertion as a token to
authenticate to the IdP on the user's behalf, and it includes an Audience
restriction identifying the IdP as the relying party. It can be bearer or
holder of key confirmation (or anything, really).

The IdP is extended to support a variant of the Authentication Request
protocol such that the original assertion is supplied in a WS-Security
header as the authentication token for a SOAP-based request. This is an
extension of the ECP profile essentially.

Finally, the response to that ECP request is relayed by SP1 to SP2 and the
assertion contains a delegation restriction condition that identifies SP1
as a delegate of the user. The subject remains the user throughout.

-- Scott

Thanks & Regards
Phalguni Mukherjee

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]