Skip to Content.
Sympa Menu

shibboleth-dev - Re: SAML Artifact attribute

Subject: Shibboleth Developers

List archive

Re: SAML Artifact attribute


Chronological Thread 
  • From: Velpi <>
  • To:
  • Cc: , ,
  • Subject: Re: SAML Artifact attribute
  • Date: Thu, 27 Apr 2006 23:58:00 +0200
POST has some drawbacks with regard to non-Javascript environments and
back-button issues, but seems to be increasingly viewed as a usable binding
across a lot of non-SAML systems, which makes me think it's the better
choice going forward.
We recently chose to convert all SPs in our federation to use the artifact browser profile. The main reasons were -as you say- the back button and the javascript things. From a user's point-of-view those are really not nice in POST. But I can only agree on the cached URL problems, though I hardly think that's a real security threat considering the replay and time restrictions.

POST requires signing a message, which is much slower than TLS is, so
generally I think POST is slower, but without push, it's always slower
because we do the backchannel too.
POST+push means that attributes are passing through the browser (with the advantage that there's no backchannel needed). If that message is not encrypted, we consider it to be a privacy issue. The backchannel provides excellent encryption that prevents that issue cleanly. It also feels more browser-independent (which is definitely nice to know) and more system-dependent (which is a lot more easy to keep in control). We also like the backchannel since it can be set to require SSL mutual certificate authentication.
Another interesting thing is that unidentified SPs always receive the authentication assertion in the POST profile. In the artifact profile (suppose you would force it) an unidentified SP won't even get that and will always block further access. It will only get the reference to the assertions, but it's not allowed to use it to get ANY more information about the user.

c)Now in both cases will the SP make default call to IDP for retrieving attributes for authorization while using Browser/POST profile?

That's a push vs pull question. Until 1.3 push was not an option.
(correct me if I'm wrong)
*POST+pull=AuthN assertion through browser, attributes pulled w/ backchannel
*POST+push=assertion+attributes through browser (signed)
(*Artifact+pull: probably only useful in some specific cases)
*Artifact+push=Artifact is dereferenced through backchannel, response contains assertion+attributes in the same request/response


We prefer Artifact+push (at the present time).


-- Velpi

Archive powered by MHonArc 2.6.16.

Top of Page