[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML, trust and WS.
> AFAICT, the exchange between SPa and the IdP is to (1) bind SPa's key, > and (2) produce a NameID that SPb can use to query attributes. Correct. > > So the IdP has to keep generating transients. > > Indeed! That's true of anything save for a global identifier, or at a minimum a single encrypted ID that would be correlatable across all the SPs in the chain (one token, in other words). > An SP can't just decide on its own to delegate. The right to delegate > must be granted by the user (via the IdP). An SP in the chain must be > bound to the chain by an entity preceding it in the chain. Right. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]