saml-dev message

Subject: RE: [saml-dev] SAML 2.0 & Authentication mechanism [service]

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Kapil Sachdeva'" <ksachdeva@sbcglobal.net>, <saml-dev@lists.oasis-open.org>
Date: Wed, 10 Nov 2004 11:43:59 -0500

> My concern/question is that SAML 2.0 does not talk about how 
> authentication should be done using standard protocol 
> messages (something like that of ID-WSF Authentication 
> Service SASL messages).

Correct, but this is a good thing.

>                 Authentication
> ECP    <-------------------------->   IDP   
>  
> Messages for the above step are problems for me. I know I can 
> use Authentication service for this as defined in ID-WSF 
> (SASL) but somehow not feeling comfortable mixing 
> specifications in implementation.

You're already mixing plenty of specs (TLS, HTTP, etc). SAML doesn't need to
define authentication protocols other than those using SAML as an
authentication protocol (which is what the SSO profile is).

If the SASL over SOAP approach seems good for your use case, I'd use it.
OTOH, if sending a password over TLS with basic-auth is good enough and you
don't need the flexibility SASL has, I'd probably use that, since it's
easier.

-- Scott

Follow-Ups:
- Re: [saml-dev] SAML 2.0 & Authentication mechanism [service]
  - From: "Kapil Sachdeva" <ksachdeva@sbcglobal.net>

References:
- SAML 2.0 & Authentication mechanism [service]
  - From: "Kapil Sachdeva" <ksachdeva@sbcglobal.net>