Here is the rationale for my answer
1. the user types in the name of the remote realm to the RP
2. the RP trusts the trust router to set up the DH keys with some remote
entity that purports to answer for this realm
3. This remote entity authenticates the user and sends the answer to the
RP along with unsigned SAML assertions about the same user in a Radius
response
4. Since the SAML assertions are unsigned the RP has no PKI to rely on.
It only has the trust router. Consequently it is the responsibility of
the trust router (admin) to check that this remote entity:
a) is the correct one to answer requests for this realm
b) does authenticate it users correctly
c) does issue correct SAML assertions for its users, regardless of the
IDP name that accompanies the assertion
This implies that the trust router (admin) should publish the IDP name
that is used by the realm when issuing its SAML assertions i.e. the
trust router publishes realm name to IDP name mappings. An RP can then
use this information to compare the names in SAML metadate.
regards
David
On 10/11/2013 22:17, Leif Johansson wrote:
On 11/10/2013 10:55 PM, David Chadwick wrote:
In a PKI this is the responsibility of the CA. In the case of ABFAB,
its the responsibility of the trust router.
The latter statement doesn't make sense. There is no trust router when
you use SAML metadata to manage trust in abfab which is what this
discussion is about.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
