RE: [security-services] W-5: SSO Profile Enhancements (Part 1)

[Scott Cantor <cantor.2@osu.edu>]

> 1. The SSTC continue to work with the structure given in the ID-FF 1.2
> materials. In other words, separate generic flows and schema extensions
> required to support Web SSO and federation from specific technology
> realizations.  

Yes, it's been my hope that we could generalize things by describing new
"bindings" for the SAML request/response protocol that would be bound to a
browser and URLs as the transport instead of SOAP. This models the use of
redirection to carry messages in both ID-FF and SAML, but permits (nearly)
any protocol message to be carried that way when practical.

I also think we should try and unify the processing rules and content
between the artifact and POST profiles as much as we can, which I think is
very achievable if the artifact request is simply viewed as an alternate
binding for returning the Response message to the destination site when the
browser "binding" is used. This requires some respinning of what an artifact
really is, but I don't think that's insurmountable.

I think the end result will be similar in form if perhaps not in
presentation, but will be easier to understand and to extend to new use
cases. As an example I noted before, if the AuthnRequest and Response
messages are simply viewed as SAML protocol, then we already have a SOAP
binding, and a profile for SOAP-speaking clients and providers falls out
from that fairly readily.

-- Scott