Skip to Content.
Sympa Menu

mace-opensaml-users - RE: regarding

Subject: OpenSAML user discussion

List archive

RE: regarding


Chronological Thread 
  • From: Scott Cantor <>
  • To: "'Laxmanareddy, Tathireddy (IE10)'" <>,
  • Subject: RE: regarding
  • Date: Wed, 23 Jul 2003 11:00:40 -0400
  • Importance: Normal
  • Organization: The Ohio State University

>I list what I perceive can be done
>1. Can build saml response at intersite transfer service and send it so
that
>assertion consumer service can accept it.
>2. I can sign the assertions.
>3. I can verify the signatures.

If you're using the POST profile, you should just use the SAMLPOSTProfile
methods, since they do all of that for you on both ends.

>I am not clear on
>1. How session management is done on application side. for entering into an
>application userneeds to get into session. should the assertion consumer
>service create a session for user?

Out of scope for SAML 1.0/1.1, and up to you.

>2. how the mapping of usernames is done ?

Also out of scope for now. You might want to look at the Liberty Alliance
work, which is SAML like, but goes much farther and includes account linking
protocols. PingID has an open source version in Java for non-commercial use.

>3. where should the application store information as to what sites it can
>grant permission to under SSO?

Not sure what you mean, but if you're talking about how to build the trust
between the sites for verifying the signed data, that's also out of scope.
Shibboleth has quite a lot of advanced functionality for trust
establishment, but none of that is in this library, it's another layer up.

>4. where should the assertion ID's and timestamp stored , and how assertion
>ID is expired after the timestamp ?

For the POST profile, there's an in-memory replay cache which could be
replaced pretty easily with a persistent cache. I didn't see it as all that
necessary in practice, since the assertions are short lived here. To get the
cache to function, you have to use the wrapper POSTProfile class and not the
core classes directly.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--



  • regarding, Laxmanareddy, Tathireddy (IE10), 07/23/2003
    • RE: regarding, Scott Cantor, 07/23/2003

Archive powered by MHonArc 2.6.16.

Top of Page