[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Stateless Conformity To SAML
> Greg Whitehead wrote:
>
> Another way to look at this is from the point of view of the peer
> implementation. That is, if my IDP implementation is talking
> to your SP implementation, and I want to ensure that you have
> terminated any persistent record of a federation for a given user,
> then I need to know that either:
> a) you support Name ID Management and will terminate any persistent
> record for a given user if I tell you to do so (which, I
> guess, could be a no-op if you don't store persistent records)
I like your approach of thinking from the other view. I think,
however, it's a bad idea to conceive of a 'general' SP that claims
support for name id mgt but that cannot/doesn't actually store
(or cause to be stored) persistent records.
> b) you don't support Name ID Management, but you don't store
> persistent records of federations either
Now we get (back) into the question of what levels of conformance
most advance adoption of the sort the SSTC intends, where
conformance classes are needed, and whether name id mgt should be
MTI in all but exceptional ("challenged") profiles.
>
> Where we would run into trouble, I think, is if an implementation
> stores persistent records of user federations but doesn't
> support Name ID Management (federation termination in particular).
Well put. This is one specific way in which the 'stateless'
implementation is problematic, and for which its designers would
probably have to rely on failure modes ... which would seem to
shorten the life of two important utilities of such a "device"
(speed and independence).
>
> -Greg
--Nick
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]