OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [saml-dev] Con Call Tuesday 4/23

Title: RE: [saml-dev] Con Call Tuesday 4/23

From Parteek's Proposal:
"Users can login to the portal and view a content page with links to content hosted at distinct web sites. Each of the content-provider sites is secured by a security vendor distinct from the one found at the portal."

How are we deciding what content links to show in the portal? What if upon login to the portal, the portal makes AuthZ decision request(s) to each content provider. Each content provider then issues a set of Authorization Decision Assertions representing which links a user can or cannot access. The Portal can consume these assertions to personalize the set of links available to the user.

Ken Yagen
Director, Software Development
CrossLogix, Inc
www.crosslogix.com
 

-----Original Message-----
From: Mishra, Prateek [mailto:pmishra@netegrity.com]
Sent: Monday, April 22, 2002 7:18 AM
To: 'Don Bowen'; saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] Con Call Tuesday 4/23



>>- Discuss the technical focus
>>  - We have agreed that browser artifact is at least one aspect of the
>>demo
>>  - If we are going to do anything with authz decision assertions we
>>will need a clear proposal and I think all of us would like to see
>>this happen
>>

I will like to express my serious reservations with a broad expansion of the demonstration described in the document draft-catalyst-interop-plan-00.doc.

I would view
use of AuthZ statements AND inclusion of the PEP-PDP protocol as an extremely broad expansion.

The flows I have described in the plan are at a high-level. It will some work to make them concrete. We haven't done this work yet!!

Here are some issues that need to be addressed:

(1) What is the exact format of the SAML assertion transferred between "portal" and content-site?

In particular,

        (a) Must certain optional SAML elements must be used?

        (b) For the SAML elements which must be present, are there specific values or formats that must be used? Examples, include <AuthenticationMethod>, <NameIdentifier> etc,

        (c) If attributes are present (and I think they should be!), what are they? What should their values be?

        (d) Will we use a DSML2.0 version of a standard LDAP schema such as InetOrgPerson for the attributes?

(2) Which browser type and versions due we plan to test with?

(3) In Steps 4 and 5 of the browser/artifact profile, the content-site and portal must mutually authenticate each other. I would suggest that the portal site use SSL (with a certificate -- who is the issuer for this

certificate?) and the content-site authenticate using a password (Basic/SSL).

Is this acceptable? Do people want a stronger or weaker security interaction between content-site and portal?

(4) Exactly what are the negative and positive flows we will demo? These need to be called out in full detail. Without negative flows (e.g., content-site does not allow access to certain content) the general public is not going to appreciate the demo very much.


        

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC