[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SAML 2.0 tech overview - initial diagrams
I've just realised that the SAML 2.0 Technical Overview storyboard is some what incomplete is terms of what profile/bindings I *could* describe for Web SSO. Given the IdP and SP initiated options plus the "outbound"/"inbound" composability - I could produce diagrams (and descriptions for): 1. SP Initiated: Redirect->Post 2. SP Initiated: Redirect->Artifact 3. SP Initiated: Post->Post 4. SP Initiated: Post->Artifact 5. SP Initiated: Artifact->Post 6. SP Initiated: Artifact->Artifact 7. IdP Initiated: Post 8. IdP Initiated: Artifact (at least I think these are a complete set for the Web SSO profile) The diagrams I attached were for 7) and the not recommended SP Initiated: Post->Redirect (Hence I will have to redraw that one) The question is whether I should have diagrams/descriptions for all of the above. Its not much extra work - as having done a couple of them - the rest will be just variations. They question is rather about the balance between completeness and verbosity. thoughts? John > -----Original Message----- > From: John Hughes [mailto:john.hughes@entegrity.com] > Sent: 30 June 2004 11:42 > To: 'oasis sstc' > Subject: [security-services] SAML 2.0 tech overview - initial diagrams > > > A few weeks ago I said I would first concentrate on the diagrams and > descriptions of the profile/binding combinations we have agreed to be in > the > technical overview - in order to review the bindings/profiles documents. > Attached is my initial output - showing the flow for the Web SSO profile > with POST binding. I have drawn what I call "Service Provider > initiated" > and "Identity Provider initiated" flows. As a result of reading through > the > profile/binding documents to draw the diagrams I have a few comments and > questions: > > - The SP initiated flow is quite well described, however the IdP > initiated > flow takes a bit of imagination. Primarily the problem is that in line > 332 > in the profiles doc it says u can start looking at the IdP initiated > flow > from section 4.1.3.5. A reader going straight to this section would > soon > get confused (I did). An additional sentence in the paragraph to > describe > the IdP initiated flow initial state would be useful. > > - lines 354 and 355 in profiles - have a couples of "may"s - should they > be > lower case? > > - 4.1.3.3/lines 360/361. The redirect to the SP IdP - nothing describes > what the redirect carries (or could carry) - nor whether its out of > scope > > - In both diagrams I show that the SP resource being served up could be > performed by the Assertion Consumer service - although of course that > service would redirect/transfer to the web server/servlet to perform the > actual resource GET/PUT. Nothing is described at all in 4.1.3.6 about > this. > The casual reader could be left "dangling" about this! Or are we > assuming > that readers will always read the Technical Overview to get the full > picture:-) > > > The comments are based on sstc-saml-profiles-2.0-draft-11 and on > sstc-saml-bindings-2.0-draft-13 > > > John > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]