RE: [liberty-dev] Enterprise Portal question


To <liberty-dev@emailprotection.org>
From “Conor Pahill” <conc@aol.com>
Date Mon, 26 Aug 2002 12:49:25 -0400
Importance Normal
In-reply-to <3D6A5BCB.1040901@sun.com >
Reply-to liberty-dev@emailprotection.org
Sender liberty-dev-owner@emailprotection.org

Hmm.  You were looking at this from a federation point of view,
I was looking at it from an Authentication (SSO) point of view
since the pre-condition he has discussed was that the user was
bulk federated.

Conor

> If the federation between and IDP and SP of a principal's account has 
> happened out-of-band, then the AuthnRequest from SP to IDP need not 
> occur for the federation to exist. There is nothing in the 
> specs which 
> prevent you from doing this.
> 
> Now, it sounds like you're thinking of doing some trick whereby the 
> AuthnResponse is given to an SP to set up the federation. I hadn't 
> really considered doing this. I would view it as an extension to the 
> Liberty protocols. If it works for you, then great. However, 
> if you've 
> already established the common name for the user between the 
> SP and IDP, 
> I'm not sure why this would be necessary.
> 
> john
> 
> Harding, Patrick wrote:
> > I do not remember if the following scenario was discussed 
> at all for 
> > Version 1.0. I am assuming the Enterprise is the IDP and 
> the user has 
> > logged into the Enterprise Portal (in fact this is likely 
> the browsers 
> > home page, and the login was transparent by way of NTLM 
> > authentication). The Enterprise Portal makes available a 
> selection of 
> > external web sites that are SP's (e.g. via drop down menu) such as 
> > Health Care, 401K, Corporate Credit Card. The user has been bulk 
> > federated with these external web sites by virtue of being 
> an employee 
> > of the Enterprise. The Enterprise Portal already has control of the 
> > UI, and the link to the external web site has been 
> dynamically created 
> > with hidden form fields that contain the AuthNResponse or Artifact. 
> > The profile (e.g. BrowserPOST), the principal's name 
> identifier etc. 
> > have been pre-agreed. I see no reason at this point to 
> bother with the 
> > AuthNRequest message. A quick browse of the specs indicates nothing 
> > that prevents this nor indicates that use of the 
> AuthNRequest message 
> > is mandatory. Thoughts??
> > Cheers
> > - Patrick 
> > 
> > 
> 
> 
> 

Partial thread listing:

08/26/2002
RE: [liberty-dev] Enterprise Portal question(continued)
 Conor P. Cahill (08/26/2002)
 Jonathan Sergent (08/26/2002)
08/09/2002
[liberty-dev] 2 items for clarification in protocols and schemas document
(Jonathan Sergent)
 Vineet Arora (08/11/2002)
 Jonathan Sergent (08/12/2002)

LEAVE A REPLY

Please enter your comment!
Please enter your name here