shibboleth-dev - RE: SAML Artifact attribute
Subject: Shibboleth Developers
List archive
- From: <>
- To: <>, <>
- Cc: <>, <>, <>
- Subject: RE: SAML Artifact attribute
- Date: Thu, 27 Apr 2006 12:24:37 -0400
Tom,
Thanks for your clarification. Few more
queries:
Background:
We are working
on enabling shibboleth to provide authentication and subsequent attribute
based authorization for access to a set of applications. Currently trying to
finalize SSO profile to be used in our architecture for shibboleth
integration, essentially whether to use Browser/POST or
Browser/Artifact.
Queries:
a) What is the key
driver for choosing between Browser/POST Vs Browser/Artifact ?
b) From the documentation it looks like for Browser/Artifact there seems
to be an additional network call from ACS (SP side) to ARS (IDP
side) before authenticating the user to retrieve reference to SAML
assertion. Does this mean Browser/post has advantage over Artifact in terms
of turn around time for authentication ? Is this understanding Correct
?
c)Now in both cases will the SP make default call to IDP for retrieving attributes for authorization while using Browser/POST profile? This seems to be happening in the java sample posted in http://shibboleth.internet2.edu/downloads/JavaSP/shibboleth_eclipse.htm
regards
Johnson
-----Original Message-----
From: Tom Scavo
[]
Sent:
Wednesday, April 26, 2006 10:24 AM
To:
Subject: Re: SAML Artifact
attribute
On 4/26/06,
<>
wrote:
> What is SAML artifact ?
An artifact is a reference to a
SAML assertion, passed from an IdP to
an SP, dereferenced in a later
back-channel exchange. This is in
contrast to Browser/POST where the
actual assertion is passed by
value.
> While HS (IDP) responds
after authentication to
> ACS (SP), it is sending the target URL and the
SAMLResponse, is there
> anyway i can get the SAML artifact attribute as
well.
An artifact is not an attribute. It is passed in the
redirection URL
from IdP to SP. The SP takes the artifact and sends it
in a
back-channel SOAP request to the IdP who returns the
corresponding
assertion.
Basically, an artifact precludes the need to
send SAML assertions
through the browser. Depending on your particular
use case, this may
be a Good Thing.
Tom
- SAML Artifact attribute, johnson.kaniampurath, 04/26/2006
- Re: SAML Artifact attribute, Walter Hoehn, 04/26/2006
- Re: SAML Artifact attribute, Tom Scavo, 04/26/2006
- <Possible follow-up(s)>
- RE: SAML Artifact attribute, johnson.kaniampurath, 04/27/2006
- RE: SAML Artifact attribute, Scott Cantor, 04/27/2006
- RE: SAML Artifact attribute, Scott Cantor, 04/27/2006
- Re: SAML Artifact attribute, Velpi, 04/27/2006
- Re: SAML Artifact attribute, Walter Hoehn, 04/27/2006
- RE: SAML Artifact attribute, Scott Cantor, 04/27/2006
Archive powered by MHonArc 2.6.16.