Skip to Content.
Sympa Menu

mace-opensaml-users - RE: SAML Constraints

Subject: OpenSAML user discussion

List archive

RE: SAML Constraints


Chronological Thread 
  • From: "Rathod, Ashish (A.K.)" <>
  • To: "'Scott Cantor'" <>,
  • Subject: RE: SAML Constraints
  • Date: Thu, 25 Mar 2004 15:54:27 -0500
  • Hop-count: 1
  • Return-receipt-to: "Rathod, Ashish (A.K.)" <>

So then the entity needs to authenticate using some other mechanism and then
go to a SAML Authority to get a token which it can provide to other systems.
Doesn't this sound like certificates?

Ashish

-----Original Message-----
From: Scott Cantor
[mailto:]
Sent: Thursday, March 25, 2004 3:47 PM
To: Rathod, Ashish (A.K.);

Subject: RE: SAML Constraints


> It seems that SAML Query should not be used as the first
> authentication for any entity? Is this true? If so why?

Because as the spec makes clear, it's not designed to perform
authentication, it's a way of accessing assertions about authentication
after the fact. It actually has very little obvious use (to me anyway).

There is a protocol in the 2.0 draft that is at least the beginning of a
credentials collection operation that is appropriate to use for this, but it
doesn't generally put the user's credentials inside the message (the client
needs to know how to authenticate to the server) and it needs to be profiled
to make it work in an interoperable way for a particular purpose.

The new browser SSO profile will be layered on this protocol, hopefully.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page