OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] Groups - Change Notify Protocol 02 (saml-2.0-notify-draft-02.zip) uploaded


I agree. Since state cannot be assumed, the Target is free to decide the appropriate action. Maybe we should have more clarification text on this?

Also, your example is also good, because it points to the fact that a target can choose different actions in response to a "RetireSubject" notification.  It can choose to simply disable, or it could perform more substantial de-provisioning, or even a simple delete, etc.  Thus, the target and requestor have to have agreement on what happens when a NewSubject notification occurs for a previously retired subject.

Relating to "retireSubject", I had a conversation about whether there needs to be an action step to confirm deletion. It occurs to me that the target may wish for example to perform a SAML Attribute Query to confirm the changed state of the subject from the notifier.  

Phil
phil.hunt@oracle.com




On 2010-09-21, at 12:57 PM, Tom Zeller wrote:

>>> After further reading, ManageNameIDRequest Terminate seems reasonably
>>> equivalent to disable|suspend, and NewID to enable|resume. So, no,
>>> enable/disable is not distinct from ManageNameIDRequest.
>> 
>> NewID in a MNI request assumes an active relationship based on the other
>> NameID in the request. It's a Rename, or if the SP does it, it's an
>> attachment of a secondary Name.
> 
> Thanks, Scott, for correcting me; MNI seems comparable to LDAP mod[r]dn.
> 
> My suggestion is that the NewSubject definition could include a
> sentence clarifying that "new" subjects may or may not really be new,
> depending on whether or not they were retired or de-provisioned during
> a previous RetireSubject operation, dependent upon the issuer-target
> SLA.
> 
> An implementer, say SPML or LDAP backed, shouldn't translate a
> NewSubject request to an add/create since the (previously retired)
> subject may already exist.
> 
> Tom
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
> 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]