Re: [dss] Authentication Token

[Ed Shallow <ed.shallow@rogers.com>]

Nick,

 

    Well put. I like the extensibility of the RequesterIdentity structure (i.e. the SupportingInfo). Perhaps we could add SupportingInfo to ClaimedIdentity. In the EPM profile draft I had reused RequesterIdentity as an OptionalInput.

 

Ed

Nick Pope <pope@secstan.com> wrote:

> As discussed at yesterdays phone conference:
>
> a) In in discuss the JP Morgan/RSA system the requirement to add the
> capability to carry an authentication token (one time password, SAML
> assertion ...) in a DSS has been identified
>
> b) A similar requirement has been identified in EPM
>
> Previously, it had been decided that such a capability was not necessary as
> such authentication information could be carried in the underlying binding.
> Although there were views that such a feature would be useful, at the time
> the case was not strong enough for putting this in the core.
>
> Given that there are two profiles where this need has come up again, I would
> suggest that we need to revisit whether such an element should be added to
> the core.
>
> The element to carry such an authentication token could be either a new
> optional input, or an extension to
>  ClaimedId. I would prefer an extension
> to the ClaimedId element as the authentication is logically associated with
> the Id.
>
> Views?
>
>
> Nick
>
> PS:
> Whilst looking at this I note that the saml:NameIdentifierType that we use
> has been replaced in the new SAML assertion syntax by "NameIDType". Do we
> want to follow them, stay referring to an old syntax, or split off from
> SAML?
>
>
>
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php.