OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SAML, trust and WS.

> AFAICT, the exchange between SPa and the IdP is to (1) bind SPa's key,
> and (2) produce a NameID that SPb can use to query attributes.

Correct.

> > So the IdP has to keep generating transients.
> 
> Indeed!

That's true of anything save for a global identifier, or at a minimum a
single encrypted ID that would be correlatable across all the SPs in the
chain (one token, in other words).

> An SP can't just decide on its own to delegate.  The right to delegate
> must be granted by the user (via the IdP).  An SP in the chain must be
> bound to the chain by an entity preceding it in the chain.

Right.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]