OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Third-party AuthnRequest use case

Should IDP Proxying be added to the list of things that
might change to support the third-party AuthnRequest use case?

I don't know the impetus for the current text's transition
from ID-FF1.2's focus on the principal**, but now the license 
for an IDP to issue a proxy AuthnRequest is only granted if an 
IDP receives an AuthnRequest from a _presenter_ that it hasn't 
already authenticated or can't do so directly.

In SSO Profiles, the presenter is the principal, and the current
IDP Proxy rules create a more secure context. But the third-party
case breaks that correspondence.

Or perhaps IDP Proxy just isn't available in this case ... the 
third-party AuthnRequest request would just entail the SP (as 
initial presenter) trying all candidate IDPs to find one that 
actually can, directly, authenticate the principal?

(** The shift is nearly complete in Core, with the lone flash
back being the explanation for StatusCode ProxyCountExceeded,
which still refers to authenticating the principal (not
presenter) directly.)


> -----Original Message-----
> From: Greg Whitehead [mailto:grw@trustgenix.com] 
> Sent: Tuesday, June 07, 2005 11:03 AM
> To: SAML WG''
> Subject: [security-services] Third-party AuthnRequest use case
> The portal "push" use case is one example where it would be useful to 
> have a third-party, the portal, create an AuthnRequest that can be 
> delivered to the IdP and ultimately deliver the authenticated user to 
> an SP.
> This sort of works with the existing AuthnRequest, but I'm 
> not sure it 
> was intended and there are a few issues:
> 1) The AuthnRequest issuer is expected to be the SP to send the 
> Response to. This means that a third-party issuer has to lie 
> about who it is, precluding the use of request authentication 
> (signing). Note that if the SP advertises that it signs AuthnRequests, 
> IdPs are justified in rejecting unsigned requests.
> 2) The Response's inResponseTo won't make sense to the SP. I 
> believe we have text that talks about receiving a Response without 
> an inResponseTo (an unsolicited response), but we don't discuss 
> the possibility of receiving a Response with an inResponseTo that 
> refers to an AuthnRequest that the SP didn't generate.
> 3) Handling RelayState. I'm not sure where we stand on using 
> RelayState in unsolicited responses to convey TARGET information, 
> but I think the current language is weak enough that it really 
> can't be expected to work... it certainly won't work if SP's are 
> keying on an empty inResponseTo to decide that RelayState might 
> contain a TARGET.
> -Greg
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all 
> your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
> oups.php 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]