OpenSAML user discussion

["Scott Cantor" <>]

> In our case I am not sure if I can completely integrate the Shibboleth's
> WebSSO solution you are proposing because there is already IDP initialized
> through a third party IDP that provides us the NTLM token obtained through
a
> windows logon. Our custom Spring SSO solution gives us the User Token and
> more specifically the principal.

If you're using Windows security, seems like you're done. No SAML needed.

> So all we have to do now is issue an HTTP POST (preferred to HTTPRedirect
> which uses a GET) binding to the Service Provider (SP) in the form of a
> <samlp:Response> and pass the serialized encoded signed assertion using
the
> protocol message exchange.

I don't know how you think you'd get an assertion or what would be in it, or
how you think you're going to secure it all, but you're describing the
standard browser SSO profile response, and I suggested using a variant of
that designed for non-browsers, so I don't know why you think it doesn't
apply.

> So here is what I am thinking I need to do
> 
> 1. Build the Assertion myself (rather than through asamlp:AuthnRequest
> to an IDP)

Who is "myself"? An IdP? A client can't just make up an assertion, it serves
no purpose to do so.

-- Scott