[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: when in doubt, read the spec...
> ...the confusing comes in for most people > because the presentation of this token in an SSO type profile > usually results in the bypass of an authentication step at > the relying party... all due respect, but isn't "the bypass of an authentication step" the whole purpose of SSO by definition? surely, that's what the "single" refers to in "SSO". no? > ...because you are presenting some form of credential to an > entity... i hate to be pedantic, but does the saml spec refer to an assertion as a credential? my understanding is that an assertion is a "claim" or "statement". i take my understanding of what an assertion is (and what it is not) from the spec. for instance: "...the asserting party asserts that this user has been authenticated..." (pg 3, sstc-saml-tech-overview-1.1-cd.pdf). misinterpretation of a spec as complicated and rich as the saml spec is inevitable i'm sure. and i appreciate that only a small percentage of implementors will actually read the saml specs. i'm not trying to shoot holes in folk's personal interpretations of the spec. if thinking of an assertion as an authentication makes it easier for folks to understand saml, then far be it for me to try to correct them. i only want to to get as clear and precise an understanding of the spec as i possibly can at this early stage of my learning it. and hopefully along the way, help to make the spec less confusing for other developers that are also new to saml.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]