OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: Question to SSTC -- RE: Questions Regarding SAML 2.0 Conformance


>* Name Identifier Management, HTTP redirect (IdP-initiated) - Required
>for SP, not allowed for SP Lite (as an aside, why is this not allowed,
>instead of just optional?)

Long story, but it's not interesting, and not really important. Suffice to
say it shouldn't have said that.

>Because I am still getting up to speed on SAML, are you saying that there
>is a higher level of state management required to support these profiles
>and bindings?

When implemented in some ways, yes.

>Regarding the requirements, there are two things that we are considering.
>One is the minimal requirements required from a customer-perspective. The
>second is the functionality that is required to claim a certain level of
>support for SAML v2.0. It is for this second purpose that I am asking you
>these questions.

That isn't what I meant by requirements. Those sound like abstractions or
marketing speak. You need real requirements, use cases, functionality
needed to solve specific problems.

It is unlikely that what you need is addressed by any predefined
combination of features in that document, and you'll certainly need
features beyond what that document will define.

I think you're starting at the wrong end. You need to know the features
defined by the standard, and then construct the set that is relevant to
your space.

>What I am seeking to do is to identify the required SAML features (
>profile, message exchange, and selected binding) for the SP and SP Lite
>operation modes in order to establish what the required features are to
>achieve a given level of compatibility. I am attaching the spreadsheet I
>am using to do this.

I don't think I understand what that means or how it would be useful.
Maybe you're saying you're looking for the set of features that you would
need to limit yourself to to ensure compatibility with particular products?

I'm not saying you should start by assuming features nobody supports, but
at the same time, if you need a solution to a problem, that's what needs
to define the solution set.

>I appreciate you taking the time to answer my questions. If there is some
>place else I should be looking for answers, please let me know. I did not
>see the answers in the spec documents or the Executive and Technical
>whitepapers.

If you're looking for an example of a feature set that guarantees some
degree of completeness to solve actual problems, you'd want to be looking
at profiles defined by specific communities doing real deployments, such
as the Kantara eGov SAML profile. But that doesn't mean the problems it's
scoped to solve are exactly your problems either.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]