OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: New Provision Profile for NSN/Oracle Attribute Mgmt Discussion

Thomas et al,

For tomorrow's conference call regarding the NSN/Oracle Attribute  
Management Agenda item:

Based on the last SSTC call, I took the liberty to re-work the  
provisioning scenario a bit based on everyones feedback.  The key to  
this, is the idea that the SP can issue an "unsolicited" <Response> as  
if it where an IDP directly to the Target IDP. This idea works for the  
front-channel only and addresses Scott's concern of maintaining/ 
transferring authentication (in the back-channel, we'll have to figure  
out some other method).

New flow:

1. User initiates a request to change or provision to a target IDP.
2-4. Before proceeding the SP performs a local authentication. This  
can be via SAML or some other method (e.g. LDAP).
5. The user indicates which IDP will be the new Target IDP
6. Based on SLA, the SP issues a SSO Provisioning request by issuing  
an IDP initiated request (unsolicited response). The response contains  
an attribute "RelayState" set to some value meaningful to the  
TargetIDP. In this case, RelayState might be set to "Provision" or  
"AddSubject".  Question: Should relayState value be profiled in the  
standard?
7. Having received an SSO request from the SP (now acting as IDP), the  
TargetIDP receives the request for the SP authenticated user and  
begins a process of creating a new account. Depending on the claims  
asserted by the SP, the Target IDP may need to merge the request with  
an existing account or create a new one.
8. The Target IDP returns with an authentication response of its own.
9. The SP accepts the new SSO token and "federates" the new token with  
its own information by associating the new NameID with the old profile.
10. Process complete

PNG image



This approach does have the advantage that it fits within the current  
SAML 2 spec. The downside is that SP has to have IDP capability, and  
the SP and IDP have to agree on the provisioning request.

Would this work? Would the reverse mode (user starts at IDP) work as  
normal? Other issues?

Phil
phil.hunt@oracle.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]