saml-dev message

Subject: RE: [saml-dev] FW: Help with what standards support these WebServices calls?

From: "Cantor, Scott E." <cantor.2@osu.edu>
To: Hal Lockhart <hal.lockhart@oracle.com>, Colin Wallis<Colin.Wallis@dia.govt.nz>, "saml-dev@lists.oasis-open.org"<saml-dev@lists.oasis-open.org>, "colin_wallis@hotmail.com"<colin_wallis@hotmail.com>
Date: Tue, 22 Feb 2011 23:13:20 +0000

> As someone else noted, WS-Trust could also be used for steps 1 & 2. The
> main advantage in using WS-Trust vs.. SAML Authn Req is that WS-Trust has a
> mechanism for conveying a key back to the requestor (corresponding to the
> key in the Token) which can then be used for message protection and to bind
> the SAML Assertion to the message contents, assuming Agency 1 & Agency 2
> have the necessary cryptographic capabilities. With SAML Authn Req, Holder
> of Key Subject confirmation cannot be used unless some other means of key
> distribution is provided.

Anything you can do with WS-Trust, you can do with SAML. I'd go so far as to say the interoperability is about as likely too (if not higher).

In this specific case, using an attribute is a trivial way to communicate a key back.

-- Scott

Follow-Ups:
- RE: [saml-dev] FW: Help with what standards support these WebServices calls?
  - From: Colin Wallis <Colin.Wallis@dia.govt.nz>

References:
- FW: Help with what standards support these Web Services calls?
  - From: Colin Wallis <Colin.Wallis@dia.govt.nz>
- RE: [saml-dev] FW: Help with what standards support these WebServices calls?
  - From: Hal Lockhart <hal.lockhart@oracle.com>