----- Original Message -----
Sent: Thursday, July 26, 2001 22:01
Subject: RE: First contact
Anders - It is a mistake to think of the SAML artifact as an
unfortunate compromise imposed on us by the limitations of commercial
browsers. It is the "bearer token" in SAML's Web browser authentication
scheme. If you have it, you can impersonate the subject of the
associated assertion. Therefore, a relying party must be able to confirm
that it was issued by an authority that it trusts to the entity that is
presenting it. So, supplementary communication between the relying party
and the issuer is needed to confirm this, not merely to get additional
information that wouldn't fit into the artifact. Without this
supplementary communication, one relying party can impersonate any subject
that it has previously authenticated.
Best regards. Tim.
-----Original Message-----
From:
Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Thursday, July 26, 2001 4:11 AM
To: OASIS SAML; Tim Moses
Subject: Re: First
contact
First contactHi Tim,
I appreciate
discussions in this area as I feel that there are some less
clear things in SAML! Anyway, some comments in-line.
>Push model
>Browser
Content site Authentication
site
>1 <----------- redirect----------
>2
-------------redirect----------------------------------->
>3 <-------------------------authenticate------------------>
>4
<-------assertion-------
>5
--------reference------>
>6
<-----------------------------------redirect(reference)--
>7 --------redirect(reference)--->
>The Push model leaves questions like ...
>How does the Authentication site know where to send the assertion?
By having the redirect in #1-2
contain this information
>How does the Authentication site know what attributes to
include in the assertion?
By having the redirect specify what it wants, and
let the user or the
user's authority do
some choices. Shibboleth use-case
>Furthermore, the authentication thread is occupied waiting
for the reference to return from the Content site.
This is indeed a problem. The easiest
solution is to not use
references but
entire assertions:
http://www.x-obi.com/OBI400/andersr-browser-artifact.ppt
>In both cases, the Content site has no opportunity to
indicate its authentication
>requirements (one or
two factor, for instance).
It has that in the redirect.
Regards
Anders Rundgren
X-OBI
------------------------------------------------------------------
To unsubscribe from this elist send a message with the single
word
"unsubscribe" in the body to:
security-services-request@lists.oasis-open.org