[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML, trust and WS.
> a security token isn't used "to authenticate" a user - as > such. in the context that you have described, the user was > already authenticated at some earlier point in time by some > means or another (according to some security policy). While this is correct, the confusing comes in for most people because the presentation of this token in an SSO type profile usually results in the bypass of an authentication step at the relying party (thus causing people to equate this operation with an authentication). Some people will also say that the presentation of this token to the relying party is an authentication event because you are presenting some form of credential to an entity to get access to a resource (how different is that from providing a token containing a few text characters that the relying party happens to know -- that's the typically username and password authentication?). I guess it essentially comes down to the point of view you are using in interpreting the event. From the issuer's and user's point of view, I would say it doesn't appear to be an authentication event (it's an SSO event), but from the relying party's point of view it does to many people look like an authentication event. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]