OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Third-party AuthnRequest use case

> Ok, I see what you're suggesting: an IdP could accept additional third 
> party keys, besides those described in an SP's metadata, to validate 
> signatures on AuthnRequests issued on an SP's behalf. That's certainly 
> one solution, and one that doesn't require any protocol changes. I 
> think I'd be happier if the third party was explicitly identified in 
> the request, say as the issuer, and there was some other place to 
> identify the target SP, but would require a protocol change...

Sure, and as I said, this is conceptually possible today using an
AuthnRequest, but it needs to be profiled, and it is more complex. It's also
not optimal because it is true that while "requester" and "relying party"
are both named as potential actors in the prose, the "relying party" isn't
specifically identified in the request except perhaps in an Audience in the
input Conditions.

Adding something like a "RespondTo" attribute in the Request base type would
probably adequately have handled this general case of a requester asking a
responder to send an unprompted response to somebody else.

Alternatively of course it could be handled at the binding layer outside the
protocol. In either case, fields like AssertionConsumerServiceIndex would be
based on the identity of the intended recipient, not the original requester
as today.

Since we really can't do any of this without revving the spec, it's probably
preferable to look for a simpler solution that might at least allow for
signing by such a portal. The tight binding of the portal to the IdP
(domain-wise) made that seem at least feasible.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]