OpenSAML user discussion

["RL 'Bob' Morgan" <>]

On Mon, 11 Jul 2005, Garcia, Gene wrote:

> Let me restate the question...
> Is there a way to send an AuthenticationQuery with no Subject?
>
> Below is an example AuthenticationQuery generated with opensaml...
>
> <Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
>    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
>    xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
>    xmlns:xsd="http://www.w3.org/2001/XMLSchema";
>    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; IssueInstant="2005-07-08T00:51:03.051Z" 
> MajorVersion="1" MinorVersion="1" RequestID="_44d43ce7b98ab014c635c5820953a779">
>    <AuthenticationQuery AuthenticationMethod="password">
>        <Subject xmlns="urn:oasis:names:tc:SAML:1.0:assertion">
>            <NameIdentifier 
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"></NameIdentifier>
>        </Subject>
>    </AuthenticationQuery>
> </Request>

Ah.  No.  An AuthenticationQuery is for the purpose of asking about an 
existing authentication statement/assertion regarding a subject, just as 
an AttributeQuery is for asking about attributes of an existing subject. 
An AuthenticationQuery is not used to initiate authentication.  SAML does 
not include an "authentication protocol" per se (in the sense of Kerberos, 
eg), though whether to do so was discussed extensively by the SAML TC.

Some folks come to SAML looking for a standardized way of authenticating a 
SOAP interaction, but SAML itself is not a SOAP-oriented protocol.  SAML 
assertions can be used as security tokens in the WS-Security protocol, 
though.

 - RL "Bob"