Re: [liberty-dev] Enterprise Portal question

From Jon Serg <sergent@Sun.COM>
Date Mon, 26 Aug 2002 10:28:44 -0700
In-reply-to < >
References < >

--On Monday, August 26, 2002 12:18 PM -0400 "Harding, Patrick" <Patrick.Harding@FMR.COM> wrote:

I do not remember if the following scenario was discussed at all for
Version 1.0.
I am assuming the Enterprise is the IDP and the user has logged into the
Enterprise Portal (in fact this is likely the browsers home page, and the
login was transparent by way of NTLM authentication). The Enterprise
Portal makes available a selection of external web sites that are SP's
(e.g. via drop down menu) such as Health Care, 401K, Corporate Credit
Card. The user has been bulk federated with these external web sites by
virtue of being an employee of the Enterprise.
The Enterprise Portal already has control of the UI, and the link to the
external web site has been dynamically created with hidden form fields
that contain the AuthNResponse or Artifact. The profile (e.g.
BrowserPOST), the principal's name identifier etc. have been pre-agreed.
I see no reason at this point to bother with the AuthNRequest message. A
quick browse of the specs indicates nothing that prevents this nor
indicates that use of the AuthNRequest message is mandatory.

The SP should not/will not accept the Assertion unless its InResponseTo attribute (defined in a Liberty extension) matches an AuthnRequest that the SP generated. See line 530 of the protocols and schemas document for the requirement. It should also probably check that the issue instant of the request is close to the issue instant of the response, although I don't think that the protocol mandates this.

In this "enterprise" scenario, I assume that there is only one IDP. The enterprise portal's menu can link directly to the application on the SP that the user wishes to use. If the user is not authenticated to the application, the app redirects the user to its login page. (This is probably what the portal and the app already do without Liberty.) In this case, since it only has one IDP, rather than showing a username and password selection box, the SP's login "page" can can redirect immediately to the IDP (no introduction necessary) with an AuthnRequest that has ForceAuthn set to false. The IDP should immediately send the user back to the SP at this point with a valid artifact for a response with the correct InResponseTo values and so on.

The amount of code in the SP to generate the request and do a redirection for unauthenticated users should be pretty minimal. Most of it can be canned and repeated except for the request ID and the issue instant.

— Jonathan Sergent / sergent@Sun.COM

Partial thread listing:

Re: [liberty-dev] Enterprise Portal question(continued)
 Jonathan Sergent (08/26/2002)
[liberty-dev] 2 items for clarification in protocols and schemas document
(Jonathan Sergent)
 Vineet Arora (08/11/2002)
 Jonathan Sergent (08/12/2002)
Possible follow-ups
 Hubert A. Le Van Gong (08/12/2002)


Please enter your comment!
Please enter your name here