OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Réf. : [saml-dev] Re: Réf. : Re: [saml-dev] Réf. : RE: [saml-dev] AttributeQuery : why SOAP binding ?

Hi Valerie
 
We have exactly the same requirement for "dynamically" obtaining information from an IdP with user consent at the IdP here in New Zealand.  Our requirement comes from New Zealand privacy law and is an area we have been trying to address with SAML 2 for the last 18 months.
 
I believe that submissions are currently in progress to the SAML 2 technical expert committee for a mechanism within the specification to permit the dynamic requesting of information within the <AuthnRequest>.  I am not aware of any timeframe or the whether the submissions will be accepted, but I hope this helps.
 
As a temporary solution we may use a preconfigured set of attributes within each circle of trust as an approach.
 
Other potential options (but not really recommended) could involve specifying the required attributes as a String in the <RequestedAuthnContext>.  The AttributeConsumerServiceIndex is another option, but is a fairly indirect mechanism.  As a last resort you could consider the use of SAML <Extensions> in the <AuthnRequest>, but I don't know if that would suit your model either?
 
Kind Regards
Ben Yeoman
 
 
 

From: valerie.bauche@bull.net [mailto:valerie.bauche@bull.net]
Sent: Fri 14/11/2008 23:42
To: Chad La Joie
Cc: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Réf. : [saml-dev] Re: Réf. : Re: [saml-dev] Réf. : RE: [saml-dev] AttributeQuery : why SOAP binding ?


> Okay, so you have *no* upfront knowledge about what attributes will be
> needed.  Would a model where the IdP releases, at authentication time,
> all attributes that *might* be needed an acceptable solution?  I know a
> lot of services work like this.

This is the way I currently work... But this is not acceptable for this particular client who needs a very high security level.
When the SP needs a particular attribute, it asks the IDP and then the IDP MUST ask the user "Do you want to send this attribute to this particular SP".
So this process has to be very dynamic.

Valérie BAUCHE
Ingénieur en développement de solutions de sécurité
Bull, Architect of an Open World TM
Tél : 02 41 93 57 09
http://www.bull.com

Bull recrute : http://www.bull.fr/emploi

Ce message contient des informations confidentielles, couvertes par le secret professionnel ou réservées exclusivement à leur destinataire. Toute lecture, utilisation, diffusion ou divulgation sans autorisation expresse est rigoureusement interdite.
Si vous n'en êtes pas le destinataire, merci de prendre contact avec l'expéditeur et de détruire ce message.

This e-mail contains material that is confidential for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited.
If you are not the intended recipient, please contact the sender and delete all copies.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]