Shibboleth Developers

[Walter Hoehn <>]

In 1.2.1, the AA uses TLS for authentication, period.  As for other  
"checking", the SAML Request has to pass muster.  The contents of the  
shib handle are opaque and should be considered completely proprietary  
to a particular AA.

-Walter


On Mar 28, 2005, at 6:02 AM, Shahzad Younas wrote:

> Aah rite. I was a bit confused about where the certificate gets  
> verified as in the Shibb protocol doc, it mentions that a ds:Signature  
> field is optional when creating an AQM.
> So the AA does NO authentication/checking of the AQM when it arrives?  
> Is all that stuff done  via the HTTPS connection?
>  
> Thanks
> Shahzad
>
>
> From: Wilcox, Mark 
> [mailto:]
>  Sent: 28 March 2005 02:45
> To: Shahzad Younas; 
>
> Subject: RE: AQM
>
> Shahzad,
> This currently uses HTTPS client-side certificates. Meaning it's part  
> of the HTTP request cycle - before the message ever gets to the AA.
>  
> There is not going to be an easy way to "capture" this cert and replay  
> it - that would have serious security consequences.
>  
> As I've said many times to you - you're proxy is going to have to act  
> as the AA to your real SHAR. And then act as a SHAR to the actual AA -  
> meaning your proxy needs to send the certificates to the AA - not the  
> real SHAR.
>  
> Mark
>
>
> From: Shahzad Younas 
> [mailto:]
> Sent: Sun 3/27/2005 7:07 PM
> To: 
>
> Subject: RE: AQM
>
> Another quick question....is the X.509 certificate included in the  
> SAMLResponse produced by the HS upon a successful login?
> Could i extract this, then sign a AQM with it to get access to the  
> attrbiutes which can only be released by signed requests?
>  
> Thanks
> Shahzad
>
>
> From: Wilcox, Mark 
> [mailto:]
>  Sent: 27 March 2005 21:40
> To: Shahzad Younas; 
>
> Subject: RE: AQM
>
> AFAIK - the AQM don't have to be signed - but the client MUST  
> authenticate via client-side X.509 certificates to the AA to get all  
> of the attributes. Otherwise you're only going to get attributes  
> deemed acceptable by anonymous queries - which may or may not be what  
> you're looking for.
>  
> Mark
>
>
> From: Shahzad Younas 
> [mailto:]
> Sent: Sun 3/27/2005 3:34 PM
> To: 
>
> Subject: RE: AQM
>
>
> Thanks guys that's great. Exactly what I was after!
> For any AQM going to the AA, do they have to be signed? Or is it  
> optional?
> If they were to be signed, where/how does one configure that option in  
> the
> shibb setup?
>
> Thanks
> Shahzad
>
> -----Original Message-----
> From: Tom Scavo 
> [mailto:]
> Sent: 27 March 2005 19:39
> To: Shahzad Younas
> Cc: 
>
> Subject: Re: AQM
>
> See
> http://shibboleth.internet2.edu/docs/draft-scavo-shib-techoverview 
> -01.pdf
> which gives lots of detail regarding attribute queries.
>
>
> On Sun, 27 Mar 2005 17:49:29 +0100, Shahzad Younas
> <>
>  wrote:
> > Hi,
> > 
> > If i was to form my own AQM to POST to the AA, is there a standard
> > format for a request? What pieces of data would I need to insert into
> > this standard format?
> > Obviously the user handle would need to be in the AQM. I know the
> > protocol schema is in the shibb guides, but I was wondering if  
> someone
> > could email me the text of a typical AQM and point out to me which
> > bits I need to change to make a specific request.
> > 
> > Many Thanks
> > Shahzad

Attachment: smime.p7s
Description: S/MIME cryptographic signature