The SAML XML.org web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.

(1) direct communication and (2) forwarding the assertion

Hi,

I'm new to SAML and I have two - hopefully not too silly - questions:

(Question 1)

I understood from the profiles in the standard that when requesting an assertion the relying party (server) never contacts the SAML authority (identity provider) directly but only via the user (client), e.g. by redirect.

My question: Is it also possible that the server contacts the SAML authority directly to request an assertion?

- If not, why not?

- If yes, where can I find this variation in the standard?

(Question 2)

If we assume that the server S1 received from the client C an assertion, claiming that it is indeed client C - isn't the following attack possible:

Now S1 acts as a client and claims to server S2 that it is client C and sends to server S2 the assertion that it received from the real C before - and this assertions proofs that S2 is C.

 

Thank you!

 

 

Profiles solve specific problems. The flows are based on the problem to be solved, not on who contacts whom.

Any protocol that authenticates a client to a service can't just not include the client, it wouldn't be secure. I can't think of any authentication profile offhand that could omit the client. Non-authentication profiles can and do.

Your second question requires that you read the descriptions of the audience and subject confirmation elements and their use in profiles. The short answer is no, it isn't possible unless a relying party ignores its obligations.

-- Scott

XML.org Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | XML.org | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I