[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Stateless Conformity To SAML
> Greg Whitehead wrote: > > Another way to look at this is from the point of view of the peer > implementation. That is, if my IDP implementation is talking > to your SP implementation, and I want to ensure that you have > terminated any persistent record of a federation for a given user, > then I need to know that either: > a) you support Name ID Management and will terminate any persistent > record for a given user if I tell you to do so (which, I > guess, could be a no-op if you don't store persistent records) I like your approach of thinking from the other view. I think, however, it's a bad idea to conceive of a 'general' SP that claims support for name id mgt but that cannot/doesn't actually store (or cause to be stored) persistent records. > b) you don't support Name ID Management, but you don't store > persistent records of federations either Now we get (back) into the question of what levels of conformance most advance adoption of the sort the SSTC intends, where conformance classes are needed, and whether name id mgt should be MTI in all but exceptional ("challenged") profiles. > > Where we would run into trouble, I think, is if an implementation > stores persistent records of user federations but doesn't > support Name ID Management (federation termination in particular). Well put. This is one specific way in which the 'stateless' implementation is problematic, and for which its designers would probably have to rely on failure modes ... which would seem to shorten the life of two important utilities of such a "device" (speed and independence). > > -Greg --Nick
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]