OpenSAML user discussion

[Bob Daly <>]

Hi,

I've read the SAML bindings doc, and I'm having
trouble envisioning how SAML assertions persist across
SAML compliant apps and services.  Let's say I have a
web app that issues an AuthenticationQuery for some
subject to an issuing authority service and then
receives an assertion.  The assertion will function as
a security token to then access, for example, an XACML
based policy decision point.  

Are assertion documents usually stored by the web app
(using cookies or perhaps a db?)  Are they also stored
by the issuing authority?  Does the Shibboleth doc
describe use cases that would clarify this?

thanks,
-Bob Daly


> What you need to first do is read over the SAML 1.1
> specification,
> particularly the bindings and profiles document
> where the browser profiles
> are described. They define the formats and
> processing rules for doing what
> you're talking about using SAML.
> 
> There are dozens of proprietary approaches to doing
> the same thing, many
> universities have them, and they all work at least
> somewhat alike on the
> surface, but implementing yet another one isn't all
> that useful a project.
> 

> OpenSAML supports a simplifying class for doing work
> with the POST profile,
> but doesn't currently have a similar class for the
> artifact profile. I'm
> hoping to work on that at some point soon.
> 
> The harder work is in providing the supporting code
> and the policy/trust
> layer, and integrating it into a web server
> environment on both ends, which
> is what Shibboleth does.
> 
> -- Scott


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--