[BangPypers] Help regarding saml2

bhaskar jain bhaskar.jain2002 at gmail.com
Fri Feb 12 07:32:24 CET 2010

On Fri, Feb 12, 2010 at 10:19 AM, K.Manikandan <manikandank at tce.edu> wrote:

> > Would'nt simple cookies help you here since your domain is the same.
> >
> > SAML is for identity federation and is too big a monster for your use
> > case.
> > Have used SAML recently and AFAIK python-saml works for GoogleApps only.
> > You can use the python binding of lasso library. (
> > http://lasso.entrouvert.org/)
> >
> >
> > Domain = ".kkk.edu"
> >
> >
> > Best regards,
> > Bhaskar.
>               Each aaa.kkk.edu and bbb.kkk.edu receives separate
> requests.In such a case,working with req['session'] may not
> help here.How does python-lasso help in this scenario?

Seperate requests?
Session management?
Can you explain your use-case in a bit more details.

SAML is for federating identities. So for example, you have multiple
applications/web servers requiring authentication.
So you can have a single identity provider which handles the authentication
of the users and sends the user "details" to the application concerned.
There is trust between the applications and the identity provider. There are
things called profiles and the most common one is the "Web browser SSO
I dont thing session management could be handled. Most commonly SAML is used
for identity federation and Single Sign On only.

So in the web browser SSO profile, say you have two applications -
GoogleApps and Salesforce.
You set up an identity provider locally and configure the two applications
for SSO.
When a user tries to access the application, the application redirects the
browser (User Agent) to the identity provider.
The identity provider handles the authentication and authorization part. If
authentication is successful, it sends an assertion to the application.

The application is no more concerned about the authentication part.
Advantages are if you are already authenticated with the identity provider,
you achieve SSO with all the applications.
If the user leaves the company, he can no longer access the application.
(Day zero user revocation)
etc etc

Pretty detailed standard though.
Can check - http://docs.oasis-open.org/security/saml/v2.0/
Can ask the same on saml-dev mailing list -

With best regards,

More information about the BangPypers mailing list