Re: [security-services] Groups - sstc-saml-holder-of-key-browser-sso-draft-03.odt

["Tom Scavo" <trscavo@gmail.com>]

On Mon, Jul 14, 2008 at 11:15 AM, Scott Cantor <cantor.2@osu.edu> wrote:
>> This is all of ID-WSF, right?  I'm looking for a standalone profile to
>> retrieve a h-o-k assertion from a SAML IdP.  Does such a profile
>> exist?
>
> Yes. I can't reference it because the only thing posted is the ZIP.

That's ridiculous.  Is someone trying to tell us that none of those
specs standalone?  I guess that's the point I've been trying to make
all along (but this forum is probably not the best place to carry on
that conversation).

>> > The SAML Token Service profile and SOAP binding specs do exactly what
> you
>> > want for SOAP applications.
>>
>> Well, I don't see a SAML Token Service profile in that mountain of
>> files.
>
> It's in the AS document.

I'll look at that, thanks.

>> Given that 1) the vast majority of IdPs authenticate users via
>> username/password (in my experience, at least), and 2) there appears
>> to be at least a mild backlash against SOAP in the marketplace, I
>> would say that an HTTP-based token service is not only viable, but
>> necessary at this point.
>
> I think it's needless duplication with fewer features.

Which some see as a positive thing, right?

> But if I honestly
> thought that *anybody* could be won over just by pulling SOAP out of there,
> I'd have done it a long time ago.

Me ;-)

> The real problem is not getting tokens,
> but using them.

If I'm understanding you correctly, I don't agree with that.  I have
lots of use cases for h-o-k SAML tokens, even low assurance ones
(i.e., tokens that can be traced to username/password).

Tom