OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Question - SP authorization check

Security Developer wrote at 2015-9-10 18:41 +0500:
>In SP initiated web SSO, when SAML authentication response is received at
>SP, the SP apart from other things validate the SAML assertion and creates
>session of the user at SP.
>     <saml:NameID
>                   3f7b3dcf-1674-4ecd-92c8-1544f346baf8
>       </saml:NameID>
>       <saml:SubjectConfirmation
>            <saml:SubjectConfirmationData InResponseTo="identifier_1"
>        </saml:SubjectConfirmation>
>If NameID format is "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>then session at SP belongs to which user?

Some user authenticated by the authority who generated the assertion.
If you need more information, then you cannot use the
"transient" NameID format.

>because it is an opaque
>information in NameID. Also how authorization checks will be performed at
>SP as user is opaque in the assertion.

The authorization is usually made based on the identity providing
authority - not based on the individual user.

The following is a typical scenario:
Assume you have a cooperation of independent institutions where the
cooperation allows institution members to use some services of the partner
In this case, it is not necessary to know the individual member. It is only
necessary to know that it is a member of a partner institution.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]