OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Non-browser HTTP binding for SAML


Here is a description of what we are doing at AOL and how we are using 
SimpleSign to secure server-to-server messages over HTTP.

Basically, we have a number of partners that want to use/white label our 
existing Instant Messaging clients. The clients use a proprietary 
protocol between the client and AOL. In order to support our partners 
(basically federation) we developed a very simple protocol to pass the 
partner their user's credentials and get back a yes/no answer as to 
whether the user authenticated correctly or not. Note that these 
credentials are hashed on the client.

There are a couple of problems with the current AOL-to-partner protocol 
so we are upgrading it to be as standard as possible:) (e.g. using 
SimpleSign in a way it wasn't intended). Since AOL is really asking the 
partner to authenticate their user, I am currently sending an 
AuthnRequest message to the partner and expecting a Response message in 
return. In order to secure the messages, both the AuthnRequest and the 
Response message are signed using the SimpleSign algorithm.

My original question stemmed from the current requirement in SimpleSign 
to always have the Destination attribute (makes sense if going through a 
browser, but not in a direct server-to-server call).

So, I guess the ultimate question is whether there is interest in making 
a HTTP binding for the SAML protocol that doesn't require SOAP and 
supports direct server-to-server calls.  In thinking more about this, it 
might be just as easy to support an OAuth compatible binding.  Google is 
supporting RSA signing with OAuth so I believe we could achieve 
equivalent security.

Another option would be to just extend SimpleSign to support signing of 
arbitrary HTTP based messages. I think all that is needed here is to 
allow the message to specify the parameters that need to be signed.  
Basically, just add a 'Signed' parameter that in the SAML case could be 
'SAMLRequest,RelayState,SigAlg'. Of course the Signed parameter would be 
signed and we'd have to describe how to build the signature-base-string.


Chief Architect                   AIM:  gffletch
Identity Services                 Work: george.fletcher@corp.aol.com
AOL LLC                           Home: gffletch@aol.com
Mobile: +1-703-462-3494
Office: +1-703-265-2544           Blog: http://practicalid.blogspot.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]