[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] RE: How to provide SAML assertions in RESTful services
>> At another level it's nothing more than exchanging SAML for some >> session token. But it's happening within the framework of a standard >> which is good for interoperability. > > I suppose so, but cookies predate OAuth, and are simpler, and a session > based on TLS is much stronger than either of them. No argument there. >> The token is both issued and consumed by the same party (in the most >> common use case anyway) and it is opaque to the client so it can >> contain whatever that entity deems necessary in whatever format makes >> the most sense for it. > > I don't think the token is consumed by the issuer when you split off the > token issuer. Not the issuer itself, true, but the controlling organization of both the issuer and the service. So the format must be standardized within that domain but not a standard in the sense of an OASIS or IETF standard. > That demands a standard format, and now we're deep into the > idiotic arguments about XML vs JSON, and I'm not going there. I've got no interest in going there.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]