[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Comment on sstc-saml-glossary-2.0 (also c losesAI #0114)
Scott Cantor wrote on 3/12/2004, 6:12 PM: > > Assuming we're talking about the same thing (that the SP needs to be > > able to tell the IdP that it wants a new persistent relationship if > > one doesn't already exist) -- it is needed. > > That's the implied semantic already. The question is why an SP would > need to be able to say that it only wanted an existing identifier > and not a new one, if necessary. When the SP didn't want to create a federation, but is willing to use one if it already exists. > > Of course, in such a case, the IdP can still confirm the federation > > with the user, but will, in the right circumstances accept the SPs > > request without needing additional confirmation and create the new > > permanent relationship with the user. > > If the issue is confirmation, The issue is that the request should match the semantics of the operation requested by the user and/or site. So, for example, the user goes to a site which figures out the user is from a particular IdP (not saying how, but you can guess it is some form of a cookie) and the SP wants to use an existing federation, but it does not yet want to go to the point of establishing a federation if one doesn't already exist. I am very concerned about not being able to ask for an authentication without implying that I am also asking for a federation. I think that people who are concerned with privacy would also be concerned about a protocl that does not allow that distinction. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]