[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Distributed IDP model
> [McCormick, Mike] Yes that's exactly what we'll be > forced to do if the SAML paradigm insists on viewing the IDP > and CIA as one logical entity and doesn't provide any > standard interfaces for their "internal" information exchanges. > > SAML does not insist on that. With all due respect to Conor, SAML as a standard definitely defines an IdP as something that contains all of that functionality. How you choose to implement it internally is not constrained, but the lines you draw conceptually around the "IdP" would include both the SAML bits and the "interacts with user" bits. Especially if the client is really only ever talking to the thing you're labeling "IdP", and this "CIA" thing is actually never directly accessed. In most implementations, this separation exists, but it's internal to one software process or set of processes and is not a remoted interface. But you could make it one if you were prepared to deal with all of the security implications of that. I still see no reason why the standard needs to address that implementation strategy though, not unless it was more obvious that it was useful to many people. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]