mace-opensaml-users - Re: [OpenSAML] client side auth
Subject: OpenSAML user discussion
List archive
- From: rangeli nepal <>
- To:
- Subject: Re: [OpenSAML] client side auth
- Date: Sat, 20 Mar 2010 00:53:56 -0400
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=XgGr7TZc6bixitfCFW6An1glk7DysQSPj3R994c1/jeVl9Pk06piiJS3BEH3mfGFLv jISiWAyfH8YfnSj3Gw8n4H775xWxrN6Ieg/DvySeBGFONCQDVfVqX7OKfDT89oeRMaTA NUsQeSdiXBYIqm4gTHNq8fWEHnQ9CmKTLdkQU=
By Client side auth., I was under the impression that SP will provide its cert to IDP ( obviously idp wil provide its ssl credential to SP) before real user is presented with login screen.
But reading your email, it looks, if we are doing Web browser based SSO profile,we can not do that.
Once SP redirects to IDP, interaction is constrained in between IDP and web browser and Web browser does not have SP cert.
On Fri, Mar 19, 2010 at 11:00 PM, Brent Putman <> wrote:
What do you mean by "client side auth"? If the "client" in this case is
On 3/19/2010 9:51 PM, rangeli nepal wrote:
> Good Evening Everybody,
>
> I am trying to write a SP which will communicate with an IDP that
> requires client side auth.
a web browser user agent, and you are invoking a front-channel binding
(as implied by the encoders you mention below), for example as a part of
the Web SSO profile, the answer is: you (SP) doesn't handle this.
Authentication of the browser user to the IdP is up to the IdP, and is
out of scope of the SAML spec (at least the Web SSO profile).
If you are talking about communicating with the IdP over the SOAP
binding, and the IdP requires client TLS auth, there is an example of
that here:
https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaSOAPClientExample
Those encoders implement the similarly-named front-channel bindings of
> Looking that the classes provided in opensaml I see clasess like
> HttpRedirectDeflateEncoder or HttpPostEncoder that does most of the
> things.
> They even dispatch the request using sendRedirect or post method.
SAML. In those use cases, you as the SP are not involved in how the
browser user agent, in the middle of the flow between the IdP and SP, is
authenticated.
--Brent
- client side auth, rangeli nepal, 03/19/2010
- Re: [OpenSAML] client side auth, Brent Putman, 03/19/2010
- Re: [OpenSAML] client side auth, rangeli nepal, 03/20/2010
- Re: [OpenSAML] client side auth, Brent Putman, 03/20/2010
- Re: [OpenSAML] client side auth, rangeli nepal, 03/20/2010
- Re: [OpenSAML] client side auth, Brent Putman, 03/19/2010
Archive powered by MHonArc 2.6.16.