[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Re: [saml-dev] One token per endpoint-address?
Thanks for your very fast reply. In this case, I want to use SAML only for simple AuthenticationStatements. I use them as endorsed supporting tokens. So for me it would be the best when a client gets a token and can use for every web-service on the server. Problem is the WCF implementation of Microsoft which calls the STS for each web-service, means a generated WCF client requests for each service a token (AppliesTo in the request). ----- original Nachricht -------- Betreff: Re: [saml-dev] One token per endpoint-address? Gesendet: Do, 06. Mär 2008 Von: Chad La Joie<chad.lajoie@switch.ch> > Is it necessary? Well, no. But, there are a couple of things that > would influence this. > > Most token issuers are probably populating the tokens with an audience > restriction in order to convey that the assertion is only meant for a > particular service or set of services. So, if the issuer indicates that > an assertion is only meant for services A & B you shouldn't be sending > it to C (and C shouldn't accept it). > > Another aspect that impacts this would be the content of the assertion. > If the assertion contains sensitive information (e.g. a non-opaque > name identifier or user attributes), then the issuer may want to issue > different assertion for different services in order to show each service > only the minimal amount of data that they require. > > This isn't to say that a token can't be used with more than one service, > but instead that you really need to work with the token issuer to > determine the set of services with which a token could be used. > > > Christian Mielke wrote: > > Hi, when I have different web-services which all trust the same > > security token services which provides SAML 1.1 tokens, is it > > neccessary that a client must obtain one token for each service? Or > > is it sufficient when obtaining one token which can be used for all > > services that trust the security token service? With kind regards > > Christian > > > > -- > SWITCH > Serving Swiss Universities > -------------------------- > Chad La Joie, Software Engineer, Security > Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland > phone +41 44 268 15 75, fax +41 44 268 15 68 > chad.lajoie@switch.ch, http://www.switch.ch > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: saml-dev-help@lists.oasis-open.org > > --- original Nachricht Ende ----
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]