[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: proposal for SAML Attribute Management Protocol
Hi Thinh, Cristian, I reviewed your proposal for adding some attribute management messages to SAML. This area is generally of interest to us - broadly speaking the idea that relying parties will contribute information about users - act as authorities in their own right - and further this information may need to be conveyed to other parties (not just to IdPs). One concern is that management and propagation of identity data did not occupy an important place in the original SAML use-cases. Instead, SSO, with only a modest role for attributes, is the main focus of the effort. For example, many attributes originate from authorities distinct from an IdP (entity that manages authentication) but this plays a small role in the SAML protocols - though SAML 2.0 does provide the AttributeQuery message for interaction with an identity authority. So there is a precedent within SAML 2.0 for your proposal. We have been working on IGF, a framework that models a world wide network of authorities that provide identity data about subjects. At the other end, there are business services that require identity data in order to be effective, but may also assert identity information - and this may also be published to authorities. I encourage you to take a look at the use-case document, it captures a broad range of interactions between consumers and producers of identity data - and also focuses on the privacy properties of these interactions. http://www.projectliberty.org/index.php/liberty/content/download/3432/22922/file/Liberty_Id_Governance_mrd-v1.0.pdf The CARML specification is more focused on specific interactions originating from a relying party - the introduction in particular may be helpful in conveying the main focus of the project. http://www.projectliberty.org/liberty/content/download/4325/28927/file/draft-liberty-igf-carml-v1.0-12.pdf We have NOT built a run-time protocol that models the interactions of interest to us. There are many reasons for this, but the main point is that we havent addressed this issue yet, and filling this gap could provide an area of common interest for several of us. One idea would be to extend your proposal, so that rather than being a small extension to the existing SAML protocols, it becomes a comprehensive set of messages that describe the interactions between an identity authority and a relying party. - prateek > > The document named SAML Attribute Mgt Protocol (SAML Attribute Mgt > Protocol.ppt) has been submitted by Mr. Thinh Nguyenphu to the OASIS > Security Services (SAML) TC document repository. > > Document Description: > SAML Attribute Mgt Protocol proposal > > View Document Details: > http://www.oasis-open.org/committees/document.php?document_id=34222 > > Download Document: > http://www.oasis-open.org/committees/download.php/34222/SAML%20Attribute%20Mgt%20Protocol.ppt > > > PLEASE NOTE: If the above links do not work for you, your email application > may be breaking the link into two pieces. You may be able to copy and paste > the entire link address into the address field of your web browser. > > -OASIS Open Administration >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]