OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services-comment] Public Comment

On 20 Oct 2005 12:32:25 -0000, comment-form@oasis-open.org
> could anyone tell me, what where the reasons that in the SAML Use-Cases e.g. Browser/Artifact SSO profile there is no direct communication between SP and IdP when the <AuthRequest> / <AuthResponse> are sent. The point of my question is, that IdP and SP know each others SAML-SOAP-Endpoints so why do they need to communicate by sending artifacts via e.g. HTTP Redirect instead of directly sending SAOP messages to each other?

Because an act of user authentication must occur and only the user
possesses the credentials to perform that act.

> Are there security reasons?

There is a back-channel samlp:AuthnQuery but it assumes the act of
user authentication has already occurred.

Hope this helps,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]