[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML, trust and WS.
Unfortunately the liberty framework is not only about delegation. I Must be wrong here (please let me know if I am) but it seems that to achieve delegation I also then have to implement the remaining part of the LA framework (Discovery, etc.) an from what I have understood even the Web service application id driven by the Liberty WSDL. Ideally, I think, the Authentication/authorization bit should be separate from the application and so for example implement the SAML framework leaving the Web service implementation independent (I might go for liberty, I might go for WS-*, I might go for my own implementation of the WSDL). Anyway this is just my opinion and I thought to share. What do you think ? -----Original Message----- From: Scott Cantor [mailto:cantor.2@osu.edu] Sent: 14 December 2005 15:58 To: Sarno, Giuseppe [MOP:GM15:EXCH]; saml-dev@lists.oasis-open.org Subject: RE: [saml-dev] SAML, trust and WS. > SAML provides capability for SSO and Delegation (via specific elements > in the assertion). No. SAML provides a core spec that can do lots of things. SAML also includes a profile, supported by many products that does web SSO. That's it. There are no profiles for delegation, and so if you do it, you're on your own right now. > SAML DOESN'T provide the capability (in a standard way - through > profiles) for a SP to query or ask for one Assertion or the other. > (The only assertion currently supported in the profiles is the SSO > one.) See above. Yes, you can request SSO. Since there are no profiles for delegation, there's no way to "ask" for that either. > The important bit which I'm not too sure about is the following: the > only difference between the two assertions is really the Subject > confirmation bit (in the delegation case we need a holder of key or > sender vouches). And the difference at the profile level is the > capability to specify the assertion required. The difference is also to define what's in the assertion in the first place. Yes, using holder of key is a logical way to do delegation, but it's probably not the only way, and there are certainly a lot of other details to it, potentially. The paper from Virginia for example bears little resemblance to mine. > This might be too simplistic but, is this correct ? what are other > things missing ? I would say that it's all missing. If you want to do delegation *today*, and not be inventing stuff, you basically have Liberty WSF. That's it. Whether Liberty qualifies as a standard depends on your point of view, but it's certainly got more behind it than just an academic paper or my hand-waving. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]