OpenSAML user discussion

[Brent Putman <>]

On 3/19/2010 9:51 PM, rangeli nepal wrote:
> Good Evening Everybody,
>
> I am trying to write a SP which will communicate with an IDP that
> requires client side auth.


What do you mean by "client side auth"?  If the "client" in this case is
a web browser user agent, and you are invoking a front-channel binding
(as implied by the encoders you mention below), for example as a part of
the Web SSO profile, the answer is: you (SP) doesn't handle this. 
Authentication of the browser user to the IdP is up to the IdP, and is
out of scope of the SAML spec (at least the Web SSO profile).

If you are talking about communicating with the IdP over the SOAP
binding, and the IdP requires client TLS auth, there is an example of
that here:

https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaSOAPClientExample



> Looking that the classes provided  in opensaml I see clasess like
> HttpRedirectDeflateEncoder or HttpPostEncoder that does most of the
> things.
> They even dispatch the request using sendRedirect or post method.


Those encoders implement the similarly-named front-channel bindings of
SAML. In those use cases, you as the SP are not involved in how the
browser user agent, in the middle of the flow between the IdP and SP, is
authenticated.


--Brent