[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: First contact
Anders - It is a mistake to think of the SAML artifact as an unfortunate compromise imposed on us by the limitations of commercial browsers. It is the "bearer token" in SAML's Web browser authentication scheme. If you have it, you can impersonate the subject of the associated assertion. Therefore, a relying party must be able to confirm that it was issued by an authority that it trusts to the entity that is presenting it. So, supplementary communication between the relying party and the issuer is needed to confirm this, not merely to get additional information that wouldn't fit into the artifact. Without this supplementary communication, one relying party can impersonate any subject that it has previously authenticated.
Best regards. Tim.
-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Thursday, July 26, 2001 4:11 AM
To: OASIS SAML; Tim Moses
Subject: Re: First contact
First contactHi Tim,
I appreciate discussions in this area as I feel that there are some less
clear things in SAML! Anyway, some comments in-line.
>Push model
>Browser Content site Authentication site
>1 <----------- redirect----------
>2 -------------redirect----------------------------------->
>3 <-------------------------authenticate------------------>
>4 <-------assertion-------
>5 --------reference------>
>6 <-----------------------------------redirect(reference)--
>7 --------redirect(reference)--->
>The Push model leaves questions like ...
>How does the Authentication site know where to send the assertion?
By having the redirect in #1-2 contain this information
>How does the Authentication site know what attributes to include in the assertion?
By having the redirect specify what it wants, and let the user or the
user's authority do some choices. Shibboleth use-case
>Furthermore, the authentication thread is occupied waiting for the reference to return from the Content site.
This is indeed a problem. The easiest solution is to not use
references but entire assertions:
http://www.x-obi.com/OBI400/andersr-browser-artifact.ppt
>In both cases, the Content site has no opportunity to indicate its authentication
>requirements (one or two factor, for instance).
It has that in the redirect.
Regards
Anders Rundgren
X-OBI
------------------------------------------------------------------
To unsubscribe from this elist send a message with the single word
"unsubscribe" in the body to: security-services-request@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC