OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] SAML, trust and WS.


 

> a security token isn't used "to authenticate" a user - as 
> such. in the context that you have described, the user was 
> already authenticated at some earlier point in time by some 
> means or another (according to some  security policy).

While this is correct, the confusing comes in for most people
because the presentation of this token in an SSO type profile
usually results in the bypass of an authentication step at
the relying party (thus causing people to equate this 
operation with an authentication).

Some people will also say that the presentation of this token
to the relying party is an authentication event because you 
are presenting some form of credential to an entity to get 
access to a resource (how different is that from providing 
a token containing a few text characters that the relying
party happens to know -- that's the typically username and
password authentication?).

I guess it essentially comes down to the point of view you
are using in interpreting the event.  From the issuer's and
user's point of view, I would say it doesn't appear to be an
authentication event (it's an SSO event), but from the relying
party's point of view it does to many people look like an 
authentication event.

Conor


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]