[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] signing and encryption requirements in metadata
> IDPSSODescriptor/@WantAuthnRequestsSigned > SPSSODescriptor/@AuthnRequestsSigned > SPSSODescriptor/@WantAssertionsSigned Note that signing is an "atomic" operation that is all or nothing (encryption is not) and that AuthnRequests during SSO are relayed by browsers, so using signatures has relevance as the only viable authn mechanism. > Along these lines, the following might be useful: > > IDPSSODescriptor/@WantQueriesSigned > AttributeAuthorityDescriptor/@WantQueriesSigned > PDPDescriptor/@WantQueriesSigned > > Is there some reason these were omitted, or is it simply a matter of > supporting the most commonly used profile (i.e., SSO)? That's part of it, but queries are sent directly, so signing there is just one of many authentication mechanisms. Not even a particularly common one. > Also, wouldn't it be useful if encryption requirements could be called > out at the SP? Encryption isn't quite that simple, though. Its granularity can vary. > Was this ever discussed as the metadata spec was being developed? The need to avoid a slippery slope came up a lot when even the few flags that exist were noticed. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]