SAML 2.0: LECP Solution Proposal Work Plan Item W-5a Frederick Hirsch 23 October 2003
Intent: Add an additional profile ● Web Browser Artifact Profile ● Web Browser POST Profile ● LECP Profile
Use Case ● Mobile phone user accesses web site for service ● Site requests authentication in HTTP response ● Client obtains authentication assertion from identity server it determines, e.g. mobile operator ● Client passes assertion to service provider ● Service provider returns response (Note: LECP may be client or proxy)
Considerations ● Client (or proxy) determines appropriate identity provider ● Accommodate high-latency or unreliable networks – Minimize redirects ● Accommodate constrained devices – Limited or no cookie support – URL length limitations – Scripting limitations (e.g. ECMAScript not supported) ● Minimal impact on service providers
Impact ● New profile document: LECP Profile ● Profile specific schema definitions – AuthnRequestEnvelope, AuthnResponseEnvelope – IDPList ● Core schema definitions – AuthnRequest, AuthnResponse
LECP Profile ● HTTP request including liberty enabled client HTTP header ● HTTP response with AuthnRequest ● Client web services request containing AuthnRequest ● Web services response with AuthnResponse ● AuthnResponse in HTTP request to server ● Server HTTP response with service
LECP Flow 200, 0K … 6 4 AuthnResponse 5 AuthnResponse SOAP HTTP GET 1 IDP LEC SP AuthnRequest SOAP 3 AuthnRequest 2
AuthnRequestEnvelope ● AuthnRequest – the Liberty 1.1 authentication request ● ProviderId – Identifier for SP ● ProviderName – Human readable name for SP ● IDPList – list of IDPs acceptable to SP, optional information for LEC ● IsPassive – if “true”, do not interact with principal
AuthnResponseEnvelope • AuthnResponseEnvelope • AuthnResponse • AssertionConsumerServiceURL – URL IDP anticipates based on MetaData
LECP: Profile
Schema elements ● AuthnRequest ● AuthnResponse ● AuthnRequestEnvelope ● IDPList ● AuthnResponseEnvelope
Liberty 1.1/1.2 Changes Lib namespace changed ● AuthnRequest ● Added optional Extension element – Added support for Affiliations, optional AffiliationID element – Added NameIDPolicy, ProxyAuthn, IntroductionArtifact, consent attribute – Removed Federate element, ID attribute – Changed name of AuthnContext to RequestAuthnContext, moved related elements – to subelements AuthnResponse ● Added optional Extension element – Added optional consent attribute – Removed id attribute –
Liberty 1.1/1.2 Changes AuthnRequestEnvelope ● Optional Extension element – IDPList ● Loc now required, previously optional – AuthnResponseEnvelope – no change ● Protocols & Schemas 1.2 ● https://www.projectliberty.org/specs/draft-lib-arch-protocols-schema-v1.2-17.pdf – Protocols & Schemas 1.1 ● https://www.projectliberty.org/specs/archive/v1_1/liberty-architecture-bindings-profiles-v1.1.pdf –
Proposed Next Steps ● LECP Profile – Include LECP specific schema definitions ● Core schema changes – AuthnRequest, AuthnResponse
Recommend
More recommend
