![Page 1: SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010](https://reader036.vdocuments.us/reader036/viewer/2022082517/56649e375503460f94b26d4d/html5/thumbnails/1.jpg)
SASL-SAML update
Klaas WierengaKitten WG
9-Nov-2010
![Page 2: SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010](https://reader036.vdocuments.us/reader036/viewer/2022082517/56649e375503460f94b26d4d/html5/thumbnails/2.jpg)
Topics
• Update on SASL-SAML draft• Difference between SASL-SAML and SASL-
SAML-EC
![Page 3: SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010](https://reader036.vdocuments.us/reader036/viewer/2022082517/56649e375503460f94b26d4d/html5/thumbnails/3.jpg)
Changes in SASL-SAML draft
• WG -00– Sanitized GSS-API stuff– Editorial changes
• -01– Server redirect is URI instead of HTTP redirect– Security consideration about secure channel
![Page 4: SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010](https://reader036.vdocuments.us/reader036/viewer/2022082517/56649e375503460f94b26d4d/html5/thumbnails/4.jpg)
SAML 2.0 WebSSO flow
Client
Identity Provider
Relying Party
1. Resource Request
1
2
345
2. Authentication Request
3. Request SSO Service
4. Authenticate both client and IdP
5. Authentication Statement
6
6. Client passes AuthN Statement to RP
![Page 5: SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010](https://reader036.vdocuments.us/reader036/viewer/2022082517/56649e375503460f94b26d4d/html5/thumbnails/5.jpg)
SAML 2.0 and SASL
SAML Client (browser)
IdP RP
1
2
3456
SASL server
SASL Client
Application
![Page 6: SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010](https://reader036.vdocuments.us/reader036/viewer/2022082517/56649e375503460f94b26d4d/html5/thumbnails/6.jpg)
SASL-SAML
SAML Client (browser)
IdP RP
1
2a
3456
SASL server
SASL Client
Application
2b
![Page 7: SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010](https://reader036.vdocuments.us/reader036/viewer/2022082517/56649e375503460f94b26d4d/html5/thumbnails/7.jpg)
SASL-SAML-EC
SAML-aware Client
IdP RP
1 2
345
6
SASL server
SASL Client
Application
![Page 8: SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010](https://reader036.vdocuments.us/reader036/viewer/2022082517/56649e375503460f94b26d4d/html5/thumbnails/8.jpg)
Pros and Cons• SASL-SAML
+ minimal change to SASL client+ no extra application that is trusted with authentication credentials+ no need to touch the IdP– rely on external program – 'strange' user experience
• SASL-SAML-EC+ 'cleaner' solution + no need for external program - yet another piece of software to trust with user credentials - IdP needs to support the ECP profile - SASL client needs to implement the ECP profile