SAML 2.0: LECP Solution Proposal Work Plan Item W-5a Frederick - - PowerPoint PPT Presentation

saml 2 0 lecp solution proposal
SMART_READER_LITE
LIVE PREVIEW

SAML 2.0: LECP Solution Proposal Work Plan Item W-5a Frederick - - PowerPoint PPT Presentation

Mar 02, 2024 313 likes •469 views

SAML 2.0: LECP Solution Proposal Work Plan Item W-5a Frederick Hirsch 23 October 2003 Intent: Add an additional profile Web Browser Artifact Profile Web Browser POST Profile LECP Profile Use Case Mobile phone user accesses web

slide-1
SLIDE 1

SAML 2.0: LECP Solution Proposal

Work Plan Item W-5a

Frederick Hirsch 23 October 2003

slide-2
SLIDE 2

Intent: Add an additional profile

  • Web Browser Artifact Profile
  • Web Browser POST Profile
  • LECP Profile
slide-3
SLIDE 3

Use Case

  • Mobile phone user accesses web site for service
  • Site requests authentication in HTTP response
  • Client obtains authentication assertion from

identity server it determines, e.g. mobile operator

  • Client passes assertion to service provider
  • Service provider returns response

(Note: LECP may be client or proxy)

slide-4
SLIDE 4

Considerations

  • Client (or proxy) determines appropriate identity provider
  • Accommodate high-latency or unreliable networks

– Minimize redirects

  • Accommodate constrained devices

– Limited or no cookie support – URL length limitations – Scripting limitations (e.g. ECMAScript not supported)

  • Minimal impact on service providers
slide-5
SLIDE 5

Impact

  • New profile document: LECP Profile
  • Profile specific schema definitions

– AuthnRequestEnvelope, AuthnResponseEnvelope – IDPList

  • Core schema definitions

– AuthnRequest, AuthnResponse

slide-6
SLIDE 6

LECP Profile

  • HTTP request including liberty enabled client

HTTP header

  • HTTP response with AuthnRequest
  • Client web services request containing

AuthnRequest

  • Web services response with AuthnResponse
  • AuthnResponse in HTTP request to server
  • Server HTTP response with service
slide-7
SLIDE 7

LECP Flow

IDP LEC SP HTTP GET 1

AuthnRequest AuthnRequest SOAP AuthnResponse SOAP AuthnResponse

200, 0K …

2 3 4 5 6

slide-8
SLIDE 8

AuthnRequestEnvelope

  • AuthnRequest – the Liberty 1.1 authentication

request

  • ProviderId – Identifier for SP
  • ProviderName – Human readable name for SP
  • IDPList – list of IDPs acceptable to SP, optional

information for LEC

  • IsPassive – if “true”, do not interact with principal
slide-9
SLIDE 9

AuthnResponseEnvelope

  • AuthnResponseEnvelope
  • AuthnResponse
  • AssertionConsumerServiceURL – URL IDP

anticipates based on MetaData

slide-10
SLIDE 10

LECP: Profile

slide-11
SLIDE 11

Schema elements

  • AuthnRequest
  • AuthnResponse
  • AuthnRequestEnvelope
  • IDPList
  • AuthnResponseEnvelope
slide-12
SLIDE 12

Liberty 1.1/1.2 Changes

  • Lib namespace changed
  • AuthnRequest

Added optional Extension element

Added support for Affiliations, optional AffiliationID element

Added NameIDPolicy, ProxyAuthn, IntroductionArtifact, consent attribute

Removed Federate element, ID attribute

Changed name of AuthnContext to RequestAuthnContext, moved related elements to subelements

  • AuthnResponse

Added optional Extension element

Added optional consent attribute

Removed id attribute

slide-13
SLIDE 13

Liberty 1.1/1.2 Changes

  • AuthnRequestEnvelope

Optional Extension element

  • IDPList

Loc now required, previously optional

  • AuthnResponseEnvelope – no change
  • Protocols & Schemas 1.2

https://www.projectliberty.org/specs/draft-lib-arch-protocols-schema-v1.2-17.pdf

  • Protocols & Schemas 1.1

https://www.projectliberty.org/specs/archive/v1_1/liberty-architecture-bindings-profiles-v1.1.pdf

slide-14
SLIDE 14

Proposed Next Steps

  • LECP Profile

– Include LECP specific schema definitions

  • Core schema changes

– AuthnRequest, AuthnResponse