Re: [saml-dev] SAML, trust and WS.

[Tom Scavo <trscavo@gmail.com>]

On 12/21/05, Scott Cantor <cantor.2@osu.edu> wrote:
>
> > > 2. IdP returns SAML token containing a transient ID issued for SPA plus
> some
> > > attributes
> >
> > Right, this works because evidently the target SP is known.  (Not true
> > in my use case, btw.)
>
> If the IdP doesn't know the SP, then I guess you're dealing with some kind
> of user-intermediated push scenario, which is also fine. The transient ID
> won't matter because no query back will be possible anyway (no
> authentication of the SP).

I didn't say the IdP doesn't know the SP, I said (or meant to say)
that the IdP may not know the SP in advance, so it can't issue an
assertion targeted at a specific SP.  (I don't dare try to explain
this further, otherwise this thread will deteriorate into oblivion :)

> > Assumes much more functionality at the IdP than is available today.
> > (Our development platform is Shibboleth 1.3, which is built on top of
> > SAML 1.1.)
>
> Anything you want to do is going to require new functionality. Sorry, that's
> the way it is. But that functionality won't have much to do with
> identifiers, and that's my only point.

And that is our fundamental point of disagreement...I'll leave it at that.

Tom