Skip to Content.
Sympa Menu

wg-pic - Re: [wg-pic] SAML use cases

Subject: Presence and IntComm WG

List archive

Re: [wg-pic] SAML use cases


Chronological Thread 
  • From: Tom Scavo <>
  • To:
  • Subject: Re: [wg-pic] SAML use cases
  • Date: Wed, 28 Oct 2009 16:31:20 -0400
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=pxQ922y1HTdX9O+gaEIN43OR15pmtDOVVc0Ax4Fx2sI1sxYd7d1GcgcO34i0C4+SJG rzwoJwmcSV8sOXs9bb4RQXzLKYcFtowrsJltyYCdBW4WbflY7biPg+rWEHJ9Ccs+Rpf3 qFhyQFXCWVfHWrWv1/CX1uM9G30tnUPbQ4kN0=

On Wed, Oct 28, 2009 at 4:19 PM, Peter Saint-Andre
<>
wrote:
>
> On 10/28/09 2:01 PM, Tom Scavo wrote:
>> You're looking for a way to do back-channel
>> (server-to-server) access control, that is, an XMPP server calls out
>> to another XMPP server for an access control decision (or attributes
>> that can be used to make an access control decision). Am I even
>> halfway close to the truth? :-)
>
> I think the communication could happen over HTTP instead of XMPP. For
> example, using my XMPP client I try to access a protected resource (say,
> a chatroom) at a remote XMPP service. The remote service discovers the
> canonical attribute authority for the domain of my local XMPP service
> and sends a normal Shib request to that AA using HTTP. Yes, the remote
> XMPP service would need to have the smarts to discover my AA and send it
> a request over HTTP, but I'm assuming we have code for that and the
> software running at the remote XMPP service would need to install some
> kind of shim to use the Shib code.

Okay, that helps. I'll come back to this later (after I've exhausted
all other possibilities :)

>> Close or not, consider this alternative use case (which for some
>> reason is the one I think I want to solve): Suppose I had a
>> browser-based group chat client. (I assume such things exist.)
>
> Indeed:
>
> http://xmpp.org/software/clients.shtml#web

Oooo...

>> Now
>> protect this client with a Shibboleth Service Provider (or any
>> implementation of a SAML Service Provider) and map the supplied group
>> membership attribute(s) to the corresponding chat room(s).
>
> But doesn't this constrict us to the use of a web client?

Yes, but that's what SAML was designed for, so this is the easiest
problem to solve. Surely someone must have already done this.

>> The latter seems fairly straightforward compared to the former, so
>> this is where I think I need to start. Why is it thought that the
>> former is the problem we want to solve?
>
> Because there is a huge installed base of XMPP-capable clients on just
> about every computing platform known to man. It would be great if they
> could Just Work [tm]...

And how do these clients authenticate themselves today?

Thanks,
Tom



Archive powered by MHonArc 2.6.16.

Top of Page