|From||Jon Serg <sergent@Sun.COM>|
|Date||Mon, 26 Aug 2002 10:28:44 -0700|
--On Monday, August 26, 2002 12:18 PM -0400 "Harding, Patrick" <Patrick.Harding@FMR.COM> wrote:
I do not remember if the following scenario was discussed at all for Version 1.0. I am assuming the Enterprise is the IDP and the user has logged into the Enterprise Portal (in fact this is likely the browsers home page, and the login was transparent by way of NTLM authentication). The Enterprise Portal makes available a selection of external web sites that are SP's (e.g. via drop down menu) such as Health Care, 401K, Corporate Credit Card. The user has been bulk federated with these external web sites by virtue of being an employee of the Enterprise. The Enterprise Portal already has control of the UI, and the link to the external web site has been dynamically created with hidden form fields that contain the AuthNResponse or Artifact. The profile (e.g. BrowserPOST), the principal's name identifier etc. have been pre-agreed. I see no reason at this point to bother with the AuthNRequest message. A quick browse of the specs indicates nothing that prevents this nor indicates that use of the AuthNRequest message is mandatory. Thoughts??
The SP should not/will not accept the Assertion unless its InResponseTo attribute (defined in a Liberty extension) matches an AuthnRequest that the SP generated. See line 530 of the protocols and schemas document for the requirement. It should also probably check that the issue instant of the request is close to the issue instant of the response, although I don't think that the protocol mandates this.
In this "enterprise" scenario, I assume that there is only one IDP. The enterprise portal's menu can link directly to the application on the SP that the user wishes to use. If the user is not authenticated to the application, the app redirects the user to its login page. (This is probably what the portal and the app already do without Liberty.) In this case, since it only has one IDP, rather than showing a username and password selection box, the SP's login "page" can can redirect immediately to the IDP (no introduction necessary) with an AuthnRequest that has ForceAuthn set to false. The IDP should immediately send the user back to the SP at this point with a valid artifact for a response with the correct InResponseTo values and so on.
The amount of code in the SP to generate the request and do a redirection for unauthenticated users should be pretty minimal. Most of it can be canned and repeated except for the request ID and the issue instant.
— Jonathan Sergent / sergent@Sun.COM
Partial thread listing:
|Re: [liberty-dev] Enterprise Portal question, (continued)|
|Jonathan Sergent (08/26/2002)|
|[liberty-dev] 2 items for clarification in protocols and schemas document
|Vineet Arora (08/11/2002)|
|Jonathan Sergent (08/12/2002)|
|Hubert A. Le Van Gong (08/12/2002)|