RE: [saml-dev] SAML, trust and WS.

["Giuseppe Sarno" <gsarno@nortel.com>]

Unfortunately the liberty framework is not only about delegation.
I Must be wrong here (please let me know if I am) 
but it seems that to achieve delegation I also then have to implement
the remaining part of the LA framework (Discovery, etc.) an from what I
have understood even the Web service application id driven by the
Liberty WSDL.

Ideally, I think, the Authentication/authorization bit should be
separate from the application and so for example
implement the SAML framework leaving the Web service implementation
independent (I might go for liberty, I might go for WS-*, I might go for
my own implementation of the WSDL).

Anyway this is just my opinion and I thought to share.

What do you think ?

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: 14 December 2005 15:58
To: Sarno, Giuseppe [MOP:GM15:EXCH]; saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] SAML, trust and WS.


> SAML provides capability for SSO and Delegation (via specific elements

> in the assertion).

No. SAML provides a core spec that can do lots of things. SAML also
includes a profile, supported by many products that does web SSO. That's
it. There are no profiles for delegation, and so if you do it, you're on
your own right now.

> SAML DOESN'T provide the capability (in a standard way - through
> profiles) for a SP to query or ask for one Assertion or the other. 
> (The only assertion currently supported in the profiles is the SSO 
> one.)

See above. Yes, you can request SSO. Since there are no profiles for
delegation, there's no way to "ask" for that either.

> The important bit which I'm not too sure about is the following: the 
> only difference between the two assertions is really the Subject 
> confirmation bit (in the delegation case we need a holder of key or 
> sender vouches). And the difference at the profile level is the 
> capability to specify the assertion required.

The difference is also to define what's in the assertion in the first
place. Yes, using holder of key is a logical way to do delegation, but
it's probably not the only way, and there are certainly a lot of other
details to it, potentially. The paper from Virginia for example bears
little resemblance to mine.

> This might be too simplistic but, is this correct ? what are other 
> things missing ?

I would say that it's all missing. If you want to do delegation *today*,
and not be inventing stuff, you basically have Liberty WSF. That's it.
Whether Liberty qualifies as a standard depends on your point of view,
but it's certainly got more behind it than just an academic paper or my
hand-waving.

-- Scott