Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature Services should use the Scoping element in AuthnRequests #24

Closed
martin-lindstrom opened this issue Apr 27, 2017 · 2 comments
Closed

Signature Services should use the Scoping element in AuthnRequests #24

martin-lindstrom opened this issue Apr 27, 2017 · 2 comments
Assignees
@martin-lindstrom
Labels
todo
Projects
Post March 2017

Comments

@martin-lindstrom
Copy link
Member

An Identity Provider serving an AuthnRequest sent from a signature service has no way of figuring out information about the actual service provider that invoked the signature service.

One organization may have several service providers, and they may all be using the same instance of signature service to provide signature services. The service providers may be differently configured. One may be intended for mobile devices (apps) and another one for an ordinary desktop. An IdP receiving requests from these service providers may then implement its services differently depending on what it knows about the service provider (it may even have configuration that is obtained by other means that reading SP metadata).

Now, the problem arises when one SP with a particular configuration at the IdP (and in SAML metadata) invokes a signature flow which eventually will lead to that the organization signature service generates an AuthnRequest and passes the user and request to the IdP. How will the IdP know which configuration to apply when the user should authenticate for signature? The organization signature service SP cannot be configured to suit all SP:s.

The suggestion is to recommend Signature Service SP:s to include the entityID of the SP that the user has authenticated at in the AuthnRequest (if available). An IdP may then, if needed, apply different behaviour for different calls from the same Signature Service SP by looking the the passed "orig SP entityID".

For this purpose the Signature Service SP should use the <saml2p:Scoping> element and in this element include a <saml2p:RequesterID> holding the entityID of the SP that initiated the call.

<saml2p:Scoping>
  <saml2p:RequesterID>http://www.origsp.com/sp</saml2:RequesterID>
</saml2p:Scoping>

Also see this thread in the discussion forum.
@Razumain
Copy link
Member

Razumain commented May 2, 2017

As long as this information is optional, it will only provide opportunities and no burden. The issue is that certain IdP:s which to offer adapted behaviour for those SP that requires it. Unless this information is provided, the SP will get a default behaviour.

@martin-lindstrom martin-lindstrom moved this from ToDo to In Progress in Post March 2017 May 24, 2017
@martin-lindstrom martin-lindstrom mentioned this issue May 24, 2017
Merged
@martin-lindstrom
Copy link
Member Author

Info: The test SP at https://eid.litsec.se/svelegtest-sp/sp has been updated so that a RequesterID may be included in AuthnRequest messages.

@martin-lindstrom martin-lindstrom self-assigned this May 25, 2017
@martin-lindstrom martin-lindstrom moved this from In Progress to Done in Post March 2017 Jun 5, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martin-lindstrom martin-lindstrom

Labels
todo
Projects
No open projects
Post March 2017
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Razumain @martin-lindstrom