OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] SAML 2.0 tech overview - initial diagrams


I've just realised that the SAML 2.0 Technical Overview storyboard is some
what incomplete is terms of what profile/bindings I *could* describe for Web
SSO.  Given the IdP and SP initiated options plus the "outbound"/"inbound"
composability - I could produce diagrams (and descriptions for):

1. SP Initiated: Redirect->Post
2. SP Initiated: Redirect->Artifact
3. SP Initiated: Post->Post
4. SP Initiated: Post->Artifact
5. SP Initiated: Artifact->Post
6. SP Initiated: Artifact->Artifact
7. IdP Initiated: Post
8. IdP Initiated: Artifact

(at least I think these are a complete set for the Web SSO profile)

The diagrams I attached were for 7) and the not recommended SP Initiated:
Post->Redirect  (Hence I will have to redraw that one)

The question is whether I should have diagrams/descriptions for all of the
above.  Its not much extra work - as having done a couple of them - the rest
will be just variations.  They question is rather about the balance between
completeness and verbosity.

thoughts?


John

> -----Original Message-----
> From: John Hughes [mailto:john.hughes@entegrity.com]
> Sent: 30 June 2004 11:42
> To: 'oasis sstc'
> Subject: [security-services] SAML 2.0 tech overview - initial diagrams
>
>
> A few weeks ago I said I would first concentrate on the diagrams and
> descriptions of the profile/binding combinations we have agreed to be in
> the
> technical overview - in order to review the bindings/profiles documents.
> Attached is my initial output - showing the flow for the Web SSO profile
> with POST binding.  I have drawn what I call "Service Provider
> initiated"
> and "Identity Provider initiated" flows.  As a result of reading through
> the
> profile/binding documents to draw the diagrams I have a few comments and
> questions:
>
> - The SP initiated flow is quite well described, however the IdP
> initiated
> flow takes a bit of imagination.  Primarily the problem is that in line
> 332
> in the profiles doc it says u can start looking at the IdP initiated
> flow
> from section 4.1.3.5.  A reader going straight to this section would
> soon
> get confused (I did).  An additional sentence in the paragraph to
> describe
> the IdP initiated flow initial state would be useful.
>
> - lines 354 and 355 in profiles - have a couples of "may"s - should they
> be
> lower case?
>
> - 4.1.3.3/lines 360/361.  The redirect to the SP IdP - nothing describes
> what the redirect carries (or could carry) - nor whether its out of
> scope
>
> - In both diagrams I show that the SP resource being served up could be
> performed by the Assertion Consumer service - although of course that
> service would redirect/transfer to the web server/servlet to perform the
> actual resource GET/PUT.  Nothing is described at all in 4.1.3.6 about
> this.
> The casual reader could be left "dangling" about this!  Or are we
> assuming
> that readers will always read the Technical Overview to get the full
> picture:-)
>
>
> The comments are based on sstc-saml-profiles-2.0-draft-11 and on
> sstc-saml-bindings-2.0-draft-13
>
>
> John
>
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]