Re: [liberty-dev] Enterprise Portal question


To liberty-dev@emailprotection.org
From “John D. Beatty” <beatty@sun.com>
Date Mon, 26 Aug 2002 09:48:11 -0700
References <914038A810FFEE40B86E91880C890355015752AA@MSGBOS686NTS.fmr.com >
Reply-to liberty-dev@projectliberty.org
Sender liberty-dev-owner@emailprotection.org
User-agent Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1b) Gecko/20020721

If the federation between and IDP and SP of a principal's account has happened out-of-band, then the AuthnRequest from SP to IDP need not occur for the federation to exist. There is nothing in the specs which prevent you from doing this.

Now, it sounds like you're thinking of doing some trick whereby the AuthnResponse is given to an SP to set up the federation. I hadn't really considered doing this. I would view it as an extension to the Liberty protocols. If it works for you, then great. However, if you've already established the common name for the user between the SP and IDP, I'm not sure why this would be necessary.

john

Harding, Patrick wrote:

I do not remember if the following scenario was discussed at all for Version
1.0.
I am assuming the Enterprise is the IDP and the user has logged into the
Enterprise Portal (in fact this is likely the browsers home page, and the
login was transparent by way of NTLM authentication). The Enterprise Portal
makes available a selection of external web sites that are SP's (e.g. via
drop down menu) such as Health Care, 401K, Corporate Credit Card. The user
has been bulk federated with these external web sites by virtue of being an
employee of the Enterprise.
The Enterprise Portal already has control of the UI, and the link to the
external web site has been dynamically created with hidden form fields that
contain the AuthNResponse or Artifact. The profile (e.g. BrowserPOST), the
principal's name identifier etc. have been pre-agreed. I see no reason at
this point to bother with the AuthNRequest message. A quick browse of the
specs indicates nothing that prevents this nor indicates that use of the
AuthNRequest message is mandatory.
Thoughts??
Cheers
- Patrick


Partial thread listing:

08/26/2002
Re: [liberty-dev] Enterprise Portal question(continued)
 John D. Beatty (08/26/2002)
 Conor P. Cahill (08/26/2002)
 Jonathan Sergent (08/26/2002)
08/09/2002
[liberty-dev] 2 items for clarification in protocols and schemas document
(Jonathan Sergent)
 Vineet Arora (08/11/2002)

LEAVE A REPLY

Please enter your comment!
Please enter your name here