RE: [security-services] Credentials Collector proposal for SAML 2 .0...

[Carlisle Adams <carlisle.adams@entrust.com>]

Title: Credentials Collector proposal for SAML 2.0...

Hi Prateek,

 

I used the term "translator", rather than "proxy" or "intermediate", to underscore the idea that the CC actually receives messages and/or credentials in one syntax and forwards them on to the AA in another syntax.  It's actually doing a translation function, rather than a collect-and-forward function.

 

Yes, I think that a proprietary token wrapped in SAML would be OK, except that both the SE and the AA need to understand the token contents, so something proprietary is not ideal here.

 

Carlisle.

 

-----Original Message-----
From: Mishra, Prateek [mailto:pmishra@netegrity.com]
Sent: Tuesday, April 01, 2003 11:37 AM
To: 'Carlisle Adams'; 'security-services@lists.oasis-open.org'
Subject: RE: [security-services] Credentials Collector proposal for SAML 2 .0...

Carlisle,

 

I think the main use-case of interest to us is CC as translator (case 2.2). I am curious though why you used the term "translator" instead of "proxy" or "intermediate". I had thought of this as a case where some entity other than the AA collects credentials and then interacts with the AA to obtain a SAML assertion or other proof of authentication (e.g., such as a proprietary token). BTW, what is your view of the AA returning a proprietary token? I guess as long as it was "wrapped" in SAML we are OK.

 

Examples of such internediates include web farms or a web site that communicates with my "home site" (e.g., place of employment) for authentication purposes.

 

I agree with your recommendation that we focus on Type 1 messages in case 2.2. So our main focus would be defining an expressive request-response protocol between CC and AA.

 

- prateek