----- Original Message -----
Sent: Wednesday, July 25, 2001
23:51
Subject: First contact
Colleagues - I've given consideration to the "first contact"
issue, and satisfied myself that the current browser profile satisfies the
requirement.
For those interested in the details ...
Remember, the question is ... what will be the message flow if
the subject first goes to a site that has protected content, rather than first
going to an authentication site?
Push model
Browser
Content site Authentication
site
1 <----------- redirect----------
2
-------------redirect----------------------------------->
3
<-------------------------authenticate------------------>
4
<-------assertion-------
5
--------reference------>
6
<-----------------------------------redirect(reference)--
7 --------redirect(reference)--->
Pull model
Browser
Content site Authentication
site
1 <----------- redirect-------------
2
-------------redirect----------------------------------->
3
<-------------------------authenticate------------------>
4
<-----------------------------------redirect(reference)--
5 --------redirect(reference)------>
6
--------reference------>
7
<--------assertion------
The Push model leaves questions like ...
How does the Authentication site know where to send the
assertion?
How does the Authentication site know what
attributes to include in the assertion?
Furthermore,
the authentication thread is occupied waiting for the reference to return from
the Content site.
This might all just mean that the Push model becomes less
popular than the Pull model in this situation.
In both cases, the Content site has no opportunity to indicate
its authentication requirements (one or two factor, for instance). But,
perhaps, each Authentication site URL should be dedicated to a single
authentication policy. Then the Content site chooses the policy by
redirecting the browser to the appropriate URL.
Step 6 in the Pull model is a SAML request for one or more
assertions. The request must be able to carry the reference extracted
from the artifact in the redirection steps (4 and 5) as well as the list of
requested attributes. So, I'll be checking the schema proposals to
ensure that this is possible.
Best regards. Tim.
-------------------------------------------------------------------
Tim Moses
Tel: 613.270.3183