OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] RE: How to provide SAML assertions in RESTful services


I am very open to recommendations. We have a service that uses SOAP
today that some want us to make an equivalent RESTful version. 

Help me understand your suggestion for TLS? Today we use
mutual-authenticated-TLS to be sure the two systems talking are
authenticated/authorized. We use SAML for user.

I have not seen anything lately on ECP, so I was wondering if it was a
profile that had passed into history (4th Google hit on the topic gives
me back my own presentation on this for IHE many years ago). If it is a
good solution for RESTful, then I am good with looking at it again.

John

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Friday, June 25, 2010 1:46 PM
> To: Moehrke, John (GE Healthcare); saml-dev@lists.oasis-open.org
> Subject: RE: [saml-dev] RE: How to provide SAML assertions in RESTful
> services
> 
> > This is the problem... how do I explain how to my RESTful API would
> > carry the URI? I was hoping that there was a common way to do this,
like
> > there is with WS-Security in the SOAP world.
> 
> Using a URI is a bigger problem than that because most IdPs wouldn't
> remember the assertion for you to dereference.
> 
> If you're trying to bind either a URI or a token to every message,
then
> OAuth is clearly the answer, modulo that I don't agree with their
security
> choices, and would hope that it would be deemed inadequate for health
care
> use cases.
> 
> If you can live with session-based security vis cookies and/or (more
> preferably) client TLS, then ECP works fine for that.
> 
> -- Scott
> 
> 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]