[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Some food for thought on delegation
Some mostly low-level musings can be found here: http://shibboleth.internet2.edu/docs/draft-cantor-saml-sso-delegation-01.pdf There are several profiles in the document, some more well thought out or needed than others, but the "best" ones in terms of being immediately workable and lacking much of an alternative at this point are probably the first two, which describe using samlp:AuthnRequests and saml:Assertion to request and then use assertions for constrained delegation using holder-of-key, and then combine that with the Browser SSO and ECP profiles to enable SPs to act on behalf of the user at specific services. The philosophy behind these proposals is that existing work in this space is perhaps a bit overly general, and sacrifices some of the value of normalizing security semantics to a common format (i.e. what SAML was supposed to be for). -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]