OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Third-party AuthnRequest use case

If we can sort out the details in a timely fashion then perhaps I could add this into the Federation use-cases section of the Tech Overview.

Scott and I had an exchange of emails as to the use cases to have in the Tech Overview - this type of use case was a candidate.  However Scott persuaded me not to include it because of having to sort out details like this.


> -----Original Message-----
> From: Greg Whitehead [mailto:grw@trustgenix.com]
> Sent: 07 June 2005 19:03
> To: SAML WG''
> Subject: [security-services] Third-party AuthnRequest use case
> The portal "push" use case is one example where it would be useful to 
> have a third-party, the portal, create an AuthnRequest that can be 
> delivered to the IdP and ultimately deliver the authenticated user to 
> an SP.
> This sort of works with the existing AuthnRequest, but I'm 
> not sure it 
> was intended and there are a few issues:
> 1) The AuthnRequest issuer is expected to be the SP to send the 
> Response to. This means that a third-party issuer has to lie 
> about who 
> it is, precluding the use of request authentication (signing). Note 
> that if the SP advertises that it signs AuthnRequests, IdPs are 
> justified in rejecting unsigned requests.
> 2) The Response's inResponseTo won't make sense to the SP. I 
> believe we 
> have text that talks about receiving a Response without an 
> inResponseTo 
> (an unsolicited response), but we don't discuss the possibility of 
> receiving a Response with an inResponseTo that refers to an 
> AuthnRequest that the SP didn't generate.
> 3) Handling RelayState. I'm not sure where we stand on using 
> RelayState 
> in unsolicited responses to convey TARGET information, but I 
> think the 
> current language is weak enough that it really can't be expected to 
> work... it certainly won't work if SP's are keying on an empty 
> inResponseTo to decide that RelayState might contain a TARGET.
> -Greg
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all 
> your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]