OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Non-web client authentication


> As an architecture designer I have problems with designing a system  
> where the flow must go through a third party application.

Unless your IdP is prepared to ship out clients, I'd say you're dead then.

Personally, I think most of your issues are really as much about the
authentication technology as anything else. Seems like what you really want
is tamper-proof smart cards (about as likely as secure clients, I know) so
that the desktop environment can't actually get at the private key.

> If I was an IdP I would probably not join the federation if the 
> credentials of my users MUST flow through random, third party
> applications. If they went directly to me through a browser window
> I would be OK with it. Why?

You should definitely ask yourself that, because as others have noted,
you're wrong to be more comfortable with that. It doesn't help you, nor
could you possibly tell.

> 2) One of many goals of federated ID systems is that the user will  
> get one single login interface that is visually identical and can be  
> trusted. If third party applications should be allowed to display  
> username/password widgets, it is a way of saying: "You can enter your  
> credentials wherever you see a username/password dialog".

I think that's a secondary goal, or perhaps it's just a way of achieving the
goal of reducing phishing. But personally, I think this is a user issue. If
users don't care about their identity, nothing we do will fix that. And they
don't, by and large, they hand it over on a whim. So we shouldn't forget
that and believe that we can solve this technically. Building foolproof
systems just breeds better fools.

Obviously, you should probably take a look at Infocard if for no reason
other than to get a sense of how it tries to meet your requirements.

But none of this is really SAML-related, so it probably should head to some
other list.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]