W3C home > Mailing lists > Public > public-wsc-wg@w3.org > December 2006

ACTION-11 SSO & Federated Identity

From: Hal Lockhart <hlockhar@bea.com>
Date: Mon, 4 Dec 2006 13:30:37 -0800
Message-ID: <D0C847B2BD75414090045D8C7EA3D59402B2D656@repbex01.amer.bea.com>
To: <public-wsc-wg@w3.org>

This is a rough first cut, with none of the underlying protocol
handshakes given. 

SAML, WS-Federation and most proprietary Web SSO schemes have flows
similar to these.

Case 0. User establishes TLS session, signs on with username/password
(usually with form post, sometimes http basic auth) server takes down
TLS for rest of session. 
[Should we worry about this case? Although password is protected from
interception, there is no binding to rest of interaction allowing
session hijack, interception of app data, etc. User sees lock during
initial interaction and believes session is "secure." Usual logic is for
performance, however unclear this is even true as most of TLS overhead
is in setup (key exchange.)]

Case 1. User connects to Identity Provider (IdP), signs on, typically
with username/password over TLS, but possibly w/o TLS, or via
alternative such as onetime password from hdw token. User then clicks on
link to Service Provider (SP) which may be in same or different domain
as IdP. Generally user is unaware that distinct site is being accessed.
(By design.)

Case 2. Like case 1 except user begins by clicking on link to SP. App
site detects that no login has been done (typically via cookie) and
redirects user to IdP. Idp does login as in 1 and redirects user back to
SP. Second request is performed without intervention by IdP.

Case 3. Like case 2 except, IdP to use may vary for different users. SP
first determines IdP to user (e.g. by asking user, querying service,
redirecting to canonical location, etc.) then all proceeds as in case 2.

Received on Monday, 4 December 2006 21:30:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:13 UTC