RE: [security-services] SOAP-flavored SSO profile

["Scott Cantor" <cantor.2@osu.edu>]

> My colleague Rajeev Angal recently encountered a use case that
> called for using the SOAP binding with the web browser SSO profile,
> and he has put together a proposal for a SSO profile that does this.

The document pretty much notes this, but this is really just the Liberty
SSOS profile of SAML. That profile doesn't *assume* there's a distinction
between the client and the relying party. That's just the typical (99.9%)
case

If you want to permit a relying party to authenticate to itself as the user,
that's really the business of the policies involved and the authentication
mechanism you use to secure the ID-WSF SOAP binding, which is basically
anything you want. For an offline user, you'd introduce a "long"-term SAML
token for the SP to use to "refresh" its security context for the user, I
suppose.
 
Speaking just for myself, I don't know that I see a lot of value in a
non-WSF version that probably ends up reinventing the most interesting parts
of ID-WSF in the process. I've considered proposing it, but decided that the
diff just wouldn't be large enough to warrant it. Most of ID-WSF
communication now is WS-Addressing and WS-Security, so I'm not sure what
you'd yank to turn it into "just" a SAML profile.

-- Scott