[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Comment on sstc-saml-glossary-2.0 (also closesAI #0114)
Mishra, Prateek wrote on 3/11/2004, 6:23 PM: > > The glossary currently defines "Identity Federation" as one means of > establishing "Account Linkage" -- > > [begin-def] > A method of relating accounts at two different providers that epresent > the same principal so that the providers can communicate about the > principal. Account linkage can be established through the sharing of > attributes or through identity federation. > [end-def] In general, I have a problem with the entire use of the term "accounts" in any federation discussion. Federation really is the process of two parties agreeing on a common handle for an entity. What they do with that handle (e.g. associate it with an account on their system) is out of scope of the specifications and SAML. I can envision many situations where a user does not have an account on one of the parties (and perhaps both) and rather the handle is used to access accounts at other parties (such as retrieving a zip code from a profile service) without the need for establishiment of an account at the provider. Of course, as SSO initially rolls out, where users have local accounts on most systems, the shared handle will be associated with the local account and you can read that as a linked account. I just don't want to burn this into the spec as the way that things should be done or that this is the only thing that can be done. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]