shibboleth-dev - Re: AQM
Subject: Shibboleth Developers
List archive
- From: Walter Hoehn <>
- To: "Shahzad Younas" <>
- Cc: <>
- Subject: Re: AQM
- Date: Mon, 28 Mar 2005 08:35:34 -0600
In 1.2.1, the AA uses TLS for authentication, period. As for other "checking", the SAML Request has to pass muster. The contents of the shib handle are opaque and should be considered completely proprietary to a particular AA.
-Walter
On Mar 28, 2005, at 6:02 AM, Shahzad Younas wrote:
Aah rite. I was a bit confused about where the certificate gets verified as in the Shibb protocol doc, it mentions that a ds:Signature field is optional when creating an AQM.
So the AA does NO authentication/checking of the AQM when it arrives? Is all that stuff done via the HTTPS connection?
Thanks
Shahzad
From: Wilcox, Mark
[mailto:]
Sent: 28 March 2005 02:45
To: Shahzad Younas;
Subject: RE: AQM
Shahzad,
This currently uses HTTPS client-side certificates. Meaning it's part of the HTTP request cycle - before the message ever gets to the AA.
There is not going to be an easy way to "capture" this cert and replay it - that would have serious security consequences.
As I've said many times to you - you're proxy is going to have to act as the AA to your real SHAR. And then act as a SHAR to the actual AA - meaning your proxy needs to send the certificates to the AA - not the real SHAR.
Mark
From: Shahzad Younas
[mailto:]
Sent: Sun 3/27/2005 7:07 PM
To:
Subject: RE: AQM
Another quick question....is the X.509 certificate included in the SAMLResponse produced by the HS upon a successful login?
Could i extract this, then sign a AQM with it to get access to the attrbiutes which can only be released by signed requests?
Thanks
Shahzad
From: Wilcox, Mark
[mailto:]
Sent: 27 March 2005 21:40
To: Shahzad Younas;
Subject: RE: AQM
AFAIK - the AQM don't have to be signed - but the client MUST authenticate via client-side X.509 certificates to the AA to get all of the attributes. Otherwise you're only going to get attributes deemed acceptable by anonymous queries - which may or may not be what you're looking for.
Mark
From: Shahzad Younas
[mailto:]
Sent: Sun 3/27/2005 3:34 PM
To:
Subject: RE: AQM
Thanks guys that's great. Exactly what I was after!
For any AQM going to the AA, do they have to be signed? Or is it optional?
If they were to be signed, where/how does one configure that option in the
shibb setup?
Thanks
Shahzad
-----Original Message-----
From: Tom Scavo
[mailto:]
Sent: 27 March 2005 19:39
To: Shahzad Younas
Cc:
Subject: Re: AQM
See
http://shibboleth.internet2.edu/docs/draft-scavo-shib-techoverview -01.pdf
which gives lots of detail regarding attribute queries.
On Sun, 27 Mar 2005 17:49:29 +0100, Shahzad Younas
<>
wrote:
> Hi,
>
> If i was to form my own AQM to POST to the AA, is there a standard
> format for a request? What pieces of data would I need to insert into
> this standard format?
> Obviously the user handle would need to be in the AQM. I know the
> protocol schema is in the shibb guides, but I was wondering if someone
> could email me the text of a typical AQM and point out to me which
> bits I need to change to make a specific request.
>
> Many Thanks
> Shahzad
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
Archive powered by MHonArc 2.6.16.