OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Third-party AuthnRequest use case

> In SSO Profiles, the presenter is the principal, and the current
> IDP Proxy rules create a more secure context. But the third-party
> case breaks that correspondence.

No, it doesn't. The presenter is still the principal (the user agent,
anyway). All that changes is that the issuer of the request (the requester)
isn't the intended recipient of the response. Essentially, what you want
here are two separate protocol exchanges, with each exchange consisting of
only half the exchange. Then this becomes "unsolicited response" for which
we have processing rules.

But we can't really do that without changing the spec, because there's
nothing in the protocol to signal that. So instead you have a "spoofed"
request causing the reply to go to an entity that isn't expecting it. It's
not unsolicited, so the IdP will do certain things (like InResponseTo) that
need special treatment.

> Or perhaps IDP Proxy just isn't available in this case ... the 
> third-party AuthnRequest request would just entail the SP (as 
> initial presenter) trying all candidate IDPs to find one that 
> actually can, directly, authenticate the principal?

Proxying doesn't change at all in this model. Nothing in the actual
authentication semantic changes, the changes are at the protocol level.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]