[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Non-browser HTTP binding for SAML
Hi, Here is a description of what we are doing at AOL and how we are using SimpleSign to secure server-to-server messages over HTTP. Basically, we have a number of partners that want to use/white label our existing Instant Messaging clients. The clients use a proprietary protocol between the client and AOL. In order to support our partners (basically federation) we developed a very simple protocol to pass the partner their user's credentials and get back a yes/no answer as to whether the user authenticated correctly or not. Note that these credentials are hashed on the client. There are a couple of problems with the current AOL-to-partner protocol so we are upgrading it to be as standard as possible:) (e.g. using SimpleSign in a way it wasn't intended). Since AOL is really asking the partner to authenticate their user, I am currently sending an AuthnRequest message to the partner and expecting a Response message in return. In order to secure the messages, both the AuthnRequest and the Response message are signed using the SimpleSign algorithm. My original question stemmed from the current requirement in SimpleSign to always have the Destination attribute (makes sense if going through a browser, but not in a direct server-to-server call). So, I guess the ultimate question is whether there is interest in making a HTTP binding for the SAML protocol that doesn't require SOAP and supports direct server-to-server calls. In thinking more about this, it might be just as easy to support an OAuth compatible binding. Google is supporting RSA signing with OAuth so I believe we could achieve equivalent security. Another option would be to just extend SimpleSign to support signing of arbitrary HTTP based messages. I think all that is needed here is to allow the message to specify the parameters that need to be signed. Basically, just add a 'Signed' parameter that in the SAML case could be 'SAMLRequest,RelayState,SigAlg'. Of course the Signed parameter would be signed and we'd have to describe how to build the signature-base-string. Thanks, George -- Chief Architect AIM: gffletch Identity Services Work: george.fletcher@corp.aol.com AOL LLC Home: gffletch@aol.com Mobile: +1-703-462-3494 Office: +1-703-265-2544 Blog: http://practicalid.blogspot.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]