[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: SAML shared credential (draft-saml-shared-credential-discussion-01.doc)
My major concern with this proposal is that I don't think it actually addresses the use case because there's nothing in the SwitchUser extension that tells the IdP it's supposed to switch from a group to a principal. That's only implied. It seems like something else is needed, perhaps the AuthnContext part, but that alone would be sufficient to solve the problem. I think the TC should decide whether assertions about groups are a legitimate function, and if they are, we should define a new NameID Format, in the form of a URI, that represents a group. In fact, we could go a bit farther, and create a "groups" extension that defines a URI that is both a NameID Format and an Attribute Name. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]