[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SOAP-flavored SSO profile
> My colleague Rajeev Angal recently encountered a use case that > called for using the SOAP binding with the web browser SSO profile, > and he has put together a proposal for a SSO profile that does this. The document pretty much notes this, but this is really just the Liberty SSOS profile of SAML. That profile doesn't *assume* there's a distinction between the client and the relying party. That's just the typical (99.9%) case If you want to permit a relying party to authenticate to itself as the user, that's really the business of the policies involved and the authentication mechanism you use to secure the ID-WSF SOAP binding, which is basically anything you want. For an offline user, you'd introduce a "long"-term SAML token for the SP to use to "refresh" its security context for the user, I suppose. Speaking just for myself, I don't know that I see a lot of value in a non-WSF version that probably ends up reinventing the most interesting parts of ID-WSF in the process. I've considered proposing it, but decided that the diff just wouldn't be large enough to warrant it. Most of ID-WSF communication now is WS-Addressing and WS-Security, so I'm not sure what you'd yank to turn it into "just" a SAML profile. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]