RE: [provision] FW: Base SPML on SAML rather than DSML?

provision message

Subject: RE: [provision] FW: Base SPML on SAML rather than DSML?

From: Tony Gullotta <TGullotta@access360.com>

To: "'rweltman@netscape.com'" <rweltman@netscape.com>,Gavenraj Sodhi <Gavenraj.Sodhi@businesslayers.com>

Date: Tue, 30 Jul 2002 10:09:00 -0700

I think SAML may have some relevance if the PSP wishes to obtain additional information about the principal who needs to be provisioned. So, for example, let's say the provisioning request is for John Doe, and the PSP needs to know John's credit status before authorizing the request. Then the PSP could query the RA (or some trusted third party) for attribute assertions about John's credit. This may make sense to be SAML based, however the original provisioning request would probably not be a great fit. Does anyone else have a better perspective on SAML to comment?

Tony

-----Original Message-----
From: rweltman@netscape.com [mailto:rweltman@netscape.com]
Sent: Tuesday, July 30, 2002 8:32 AM
To: Gavenraj Sodhi
Cc: provision@lists.oasis-open.org
Subject: Re: [provision] FW: Base SPML on SAML rather than DSML?

SAML (so far) doesn't have a protocol for updating attributes, just acquiring them (issue an attribute request, get an attribute assertion back). You could devise a protocol where a requestor instead submitted an attribute assertion (as a request to update/add an attribute), but there is no support for that as a protocol in SAML: is the assertion an add or an update, what should the response of the receiver be, etc.

Caveat: I haven't followed the SAML list much for the past couple of months.

Rob

Gavenraj Sodhi wrote:

fyi... -----Original Message----- From: DeSouza, Edwin [mailto:edesouza@jamcracker.com] Sent: Monday, July 29, 2002 6:25 PM To: Gavenraj Sodhi; Darran.Rolls@waveset.com Cc: hal.lockhart@entegrity.com; tim.moses@entrust.com; pmishra@netegrity.com; Jeff.Hodges@sun.com; eve.maler@sun.com; pbaker@verisign.com Subject: Base SPML on SAML rather than DSML? Darran, Gavenraj, I see a lot of discussion on using DSML as the basis for SPML. http://lists.oasis-open.org/archives/provision/200207/maillist.html DSML is one possible starting point (Directories keep User Profiles, etc --AND-- DSML is supposed to make directories talk to each other). On the other hand, SAML is supposed to be able to transport all kinds of "interesting" user profile info among various sites/companies/applications/etc. And, given that Project Liberty is using SAML, and maybe WS-Security will be friendly to SAML, then in all likelihood SAML will have a much more widespead usage than DSML. That being the case ... it would be interesting to think about using SAML as the basis for SPML. Maybe someone more technical/knowledgeable than me can start a discussion on this at SPML. bye, Edwin. ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>