[Concordia] RP Passing AuthN Requirements in WS-Fed
Pat Patterson
Andrew.Patterson at Sun.COM
Tue Mar 4 14:51:10 EST 2008
Looking at http://projectconcordia.org/index.php/Infocard_Authentication_Scenario_Details
, it says that the RP will pass its authN requirements
* in a samlp:AuthnRequest/samlp:RequestedAuthnContext
* in WS-SecurityPolicy but requesting a claim with a matching name
Presumably, the latter applies to WS-Fed. Looking at the recent WS-Fed
and derivative specs [1][2], can't we use the wauth parameter instead?
A sample authN request redirect target from the RP would then look
something like (params URL decoded for clarity):
https://wsfedip.com/some/path/?wa=wsignin1.0&wctx=abc123&wct=2008-03-04T19:50:17Z&wtrealm=urn:federation:wsfedrp&wauth=http://projectconcordia.org/rsainterop/authnmech/managed/password
This seems much simpler than delving into WS-SecPol...
Cheers,
Pat
[1] http://specs.xmlsoap.org/ws/2006/12/federation/ws-federation.pdf
[2] http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-MWBF%5D.pdf
- - - - -
Pat Patterson
Federation Architect, Sun Microsystems, Inc.
pat.patterson at sun.com - http://blogs.sun.com/superpat
- - - - -
Join OpenSSO today! http://opensso.dev.java.net/
- - - - -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectconcordia.org/pipermail/community/attachments/20080304/7a10982f/attachment-0002.html
More information about the Community
mailing list