[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Re: Dutch eID Preso follow up. RE: Proposed Minutes for SSTC Call (Nov 25, 2014)
On 12/9/14, 10:07 PM, "Martijn Kaag" <martijn.kaag@connectis.nl> wrote: > >I agree, but there are several challenges: > >* They need to communicate the requested attributes at runtime. For >several reasons, AttributeConsumingServiceIndex is insufficient (there >may be more than >65535 different combinations of requested attributes). That only holds if you signal some attributes as required vs. just handling the error at the SP, but that's fine. It's a trivial extension. And yet in ten years nobody who actually has the problem is willing to work on specifying it? That's hard to take seriously, for me. >* They need to communicate about the (authenticated) subject with more >than one attribute. And so there are multiple Attributes in any statement. I don't see the problem there. > >* They need specific user consent for every released attributes. That's out of scope of SAML, but there are plenty of implementations that do that. Even Shibboleth's about to. >Another option would bean authnrequest with a set of requested attributes >in the extension. The other option is to invent a query profile that adds back in all of the security content, subject confirmation rules, etc. from the SSO profile. I think that's a lot more work. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]