[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] when in doubt, read the spec...
> all due respect, but isn't "the bypass of an authentication step" > the whole purpose of SSO by definition? surely, that's what the > "single" refers to in "SSO". no? No, it refers to the lack of user-visible intervention to get authenticated. You "sign-on" visibly once, but each time you interact with an IdP or an SP, I consider you to be authenticating. At the IdP, it might be with a cookie (a bearer token), while at the SP, it's via a SAML assertion (also a bearer token). Authentication is fundamentally the translation of one credential into another. AFAIC, anything that meets that criteria is an authn act. > i hate to be pedantic, but does the saml spec refer to an > assertion as a credential? Whether it does or not, if a relying party accepts one as a means of authenticating a user, it is one to that party. > the spec. if thinking of an assertion as an authentication makes > it easier for folks to understand saml, then far be it for me to > try to correct them. I think the world is complicated enough without trying to carve out things that are clearly authentication acts and come up with a new name for them. If you look at Kerberos, I can't believe that somebody wouldn't consider the presentation of a service ticket with a (wait for it...) "authenticator" to be authentication. And using SAML is no different. In both cases, you start with something else (eg. a password) but you don't use that credential later to authenticate to a service, you use the thing you got in exchange. Each point of contact has its own authn protocol to be concerned about. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]