To invoke S, C obtains a SAML token
from an STS.
152 Hints Toward a Solution
has the same function as the Kerberos token in our diagram. It is
okay that the analogy is not 100 percent accurate. Tokens and
picture IDs have many similarities, but the former can be used
in many more ways and enables scenarios that do not have a
counterpart in the of?¬‚ine world. Besides, we dare the bureaucracy
of any administration to issue IDs as fast as an STS can
issue tokens! That said, there are still some instructional aspects
of the analogy that would be useful to spell out. The wine seller
knows that the picture ID shown by the client is true because it
recognizes the government manufacturing (e.g., holographic
serigraphy or special paper) and implicitly assumes that it is
extremely dif?¬?cult to forge. How can S be sure that the SAML
token presented by C was actually issued by the STS that S
trusts? The system is much more secure than the of?¬‚ine counterpart.
The STS signs with its private key all the tokens it issues, so
anybody knowing the STS public key can verify their source.
Furthermore, the wine merchant compares the facial features of
the client in front of him with the picture in the ID document,
thus verifying that the document was actually issued to the
buyer.
Pages:
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262