[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Groups - sstc-saml-holder-of-key-browser-sso-draft-03.odt
On Mon, Jul 14, 2008 at 11:15 AM, Scott Cantor <cantor.2@osu.edu> wrote: >> This is all of ID-WSF, right? I'm looking for a standalone profile to >> retrieve a h-o-k assertion from a SAML IdP. Does such a profile >> exist? > > Yes. I can't reference it because the only thing posted is the ZIP. That's ridiculous. Is someone trying to tell us that none of those specs standalone? I guess that's the point I've been trying to make all along (but this forum is probably not the best place to carry on that conversation). >> > The SAML Token Service profile and SOAP binding specs do exactly what > you >> > want for SOAP applications. >> >> Well, I don't see a SAML Token Service profile in that mountain of >> files. > > It's in the AS document. I'll look at that, thanks. >> Given that 1) the vast majority of IdPs authenticate users via >> username/password (in my experience, at least), and 2) there appears >> to be at least a mild backlash against SOAP in the marketplace, I >> would say that an HTTP-based token service is not only viable, but >> necessary at this point. > > I think it's needless duplication with fewer features. Which some see as a positive thing, right? > But if I honestly > thought that *anybody* could be won over just by pulling SOAP out of there, > I'd have done it a long time ago. Me ;-) > The real problem is not getting tokens, > but using them. If I'm understanding you correctly, I don't agree with that. I have lots of use cases for h-o-k SAML tokens, even low assurance ones (i.e., tokens that can be traced to username/password). Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]