OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: WAYF in SAML? Was: First contact

Title: First contact
In Shibboleth there is a proprietary system for findng the authentication site,
the s.c. WAYF (Where Are You From) service.
In SAML I see no solutions at all for this.  This is likely to affect SAML interoperability.
Question: Would the SAML-"community" be interested in defining a generic WAYF-service?
Anders Rundgren
----- Original Message -----
From: Tim Moses
Sent: Wednesday, July 25, 2001 23:51
Subject: First contact

Colleagues - I've given consideration to the "first contact" issue, and satisfied myself that the current browser profile satisfies the requirement.

For those interested in the details ...

Remember, the question is ... what will be the message flow if the subject first goes to a site that has protected content, rather than first going to an authentication site?

Push model

Browser                   Content site         Authentication site
1 <----------- redirect----------
2 -------------redirect----------------------------------->
3 <-------------------------authenticate------------------>
4                                  <-------assertion-------
5                                  --------reference------>
6 <-----------------------------------redirect(reference)--
7 --------redirect(reference)--->

Pull model
Browser                   Content site         Authentication site
1 <----------- redirect-------------
2 -------------redirect----------------------------------->
3 <-------------------------authenticate------------------>
4 <-----------------------------------redirect(reference)--
5 --------redirect(reference)------>
6                                  --------reference------>
7                                  <--------assertion------

The Push model leaves questions like ...
How does the Authentication site know where to send the assertion?
How does the Authentication site know what attributes to include in the assertion?
Furthermore, the authentication thread is occupied waiting for the reference to return from the Content site.

This might all just mean that the Push model becomes less popular than the Pull model in this situation.

In both cases, the Content site has no opportunity to indicate its authentication requirements (one or two factor, for instance).  But, perhaps, each Authentication site URL should be dedicated to a single authentication policy.  Then the Content site chooses the policy by redirecting the browser to the appropriate URL.

Step 6 in the Pull model is a SAML request for one or more assertions.  The request must be able to carry the reference extracted from the artifact in the redirection steps (4 and 5) as well as the list of requested attributes.  So, I'll be checking the schema proposals to ensure that this is possible.

Best regards.  Tim.

Tim Moses
Tel: 613.270.3183

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC