Skip to Content.
Sympa Menu

shibboleth-dev - RE: AQM

Subject: Shibboleth Developers

List archive

RE: AQM


Chronological Thread 
  • From: "Wilcox, Mark" <>
  • To: "Shahzad Younas" <>, <>
  • Subject: RE: AQM
  • Date: Sun, 27 Mar 2005 20:45:15 -0500

Title: RE: AQM
Shahzad,
This currently uses HTTPS client-side certificates. Meaning it's part of the HTTP request cycle - before the message ever gets to the AA.
 
There is not going to be an easy way to "capture" this cert and replay it - that would have serious security consequences.
 
As I've said many times to you - you're proxy is going to have to act as the AA to your real SHAR. And then act as a SHAR to the actual AA - meaning your proxy needs to send the certificates to the AA - not the real SHAR.
 
Mark


From: Shahzad Younas [mailto:]
Sent: Sun 3/27/2005 7:07 PM
To:
Subject: RE: AQM

Another quick question....is the X.509 certificate included in the SAMLResponse produced by the HS upon a successful login?
Could i extract this, then sign a AQM with it to get access to the attrbiutes which can only be released by signed requests?
 
Thanks
Shahzad


From: Wilcox, Mark [mailto:]
Sent: 27 March 2005 21:40
To: Shahzad Younas;
Subject: RE: AQM

AFAIK - the AQM don't have to be signed - but the client MUST authenticate via client-side X.509 certificates to the AA to get all of the attributes. Otherwise you're only going to get attributes deemed acceptable by anonymous queries - which may or may not be what you're looking for.
 
Mark


From: Shahzad Younas [mailto:]
Sent: Sun 3/27/2005 3:34 PM
To:
Subject: RE: AQM

Thanks guys that's great. Exactly what I was after!
For any AQM going to the AA, do they have to be signed? Or is it optional?
If they were to be signed, where/how does one configure that option in the
shibb setup?

Thanks
Shahzad

-----Original Message-----
From: Tom Scavo []
Sent: 27 March 2005 19:39
To: Shahzad Younas
Cc:
Subject: Re: AQM

See
http://shibboleth.internet2.edu/docs/draft-scavo-shib-techoverview-01.pdf
which gives lots of detail regarding attribute queries.


On Sun, 27 Mar 2005 17:49:29 +0100, Shahzad Younas
<> wrote:
> Hi,

> If i was to form my own AQM to POST to the AA, is there a standard
> format for a request? What pieces of data would I need to insert into
> this standard format?
> Obviously the user handle would need to be in the AQM. I know the
> protocol schema is in the shibb guides, but I was wondering if someone
> could email me the text of a typical AQM and point out to me which
> bits I need to change to make a specific request.

> Many Thanks
> Shahzad





  • AQM, Shahzad Younas, 03/27/2005
    • <Possible follow-up(s)>
    • RE: AQM, Wilcox, Mark, 03/27/2005
      • RE: AQM, Shahzad Younas, 03/27/2005
    • RE: AQM, Wilcox, Mark, 03/27/2005
      • RE: AQM, Shahzad Younas, 03/28/2005
        • Re: AQM, Walter Hoehn, 03/28/2005

Archive powered by MHonArc 2.6.16.

Top of Page