OpenSAML user discussion

[rangeli nepal <>]

By Client side auth., I was under the impression that SP will provide its cert to IDP ( obviously idp wil provide its ssl credential to SP) before real user is presented with login screen.

But reading  your email, it looks, if we are doing Web browser based SSO profile,we can not do that.

Once SP redirects to IDP, interaction is constrained in between IDP and web browser and Web browser does not have SP cert.

 

 

On Fri, Mar 19, 2010 at 11:00 PM, Brent Putman <> wrote:

On 3/19/2010 9:51 PM, rangeli nepal wrote:
> Good Evening Everybody,
>
> I am trying to write a SP which will communicate with an IDP that
> requires client side auth.

What do you mean by "client side auth"?  If the "client" in this case is
a web browser user agent, and you are invoking a front-channel binding
(as implied by the encoders you mention below), for example as a part of
the Web SSO profile, the answer is: you (SP) doesn't handle this.
Authentication of the browser user to the IdP is up to the IdP, and is
out of scope of the SAML spec (at least the Web SSO profile).

If you are talking about communicating with the IdP over the SOAP
binding, and the IdP requires client TLS auth, there is an example of
that here:

https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaSOAPClientExample

> Looking that the classes provided  in opensaml I see clasess like
> HttpRedirectDeflateEncoder or HttpPostEncoder that does most of the
> things.
> They even dispatch the request using sendRedirect or post method.

Those encoders implement the similarly-named front-channel bindings of
SAML. In those use cases, you as the SP are not involved in how the
browser user agent, in the middle of the flow between the IdP and SP, is
authenticated.


--Brent