OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [saml-dev] Con Call Tuesday 4/23

>>- Discuss the technical focus
>>  - We have agreed that browser artifact is at least one
>>aspect of the demo
>>  - If we are going to do anything with authz decision
>>assertions we will need a clear proposal and I think all of
>>us would like to see this happen

I will like to express my serious reservations with a broad expansion of the
demonstration described in the document draft-catalyst-interop-plan-00.doc.
I would view
use of AuthZ statements AND inclusion of the PEP-PDP protocol as an
extremely broad expansion. 

The flows I have described in the plan are at a high-level. It will some
work to make them concrete. We haven't done this work yet!!

Here are some issues that need to be addressed:

(1) What is the exact format of the SAML assertion transferred between
"portal" and content-site?

In particular,

	(a) Must certain optional SAML elements must be used?

	(b) For the SAML elements which must be present, are there specific
values or formats that must be used? Examples, include
<AuthenticationMethod>, <NameIdentifier> etc,

	(c) If attributes are present (and I think they should be!), what
are they? What should their values be?

	(d) Will we use a DSML2.0 version of a standard LDAP schema such as
InetOrgPerson for the attributes?

(2) Which browser type and versions due we plan to test with?

(3) In Steps 4 and 5 of the browser/artifact profile, the content-site and
portal must mutually authenticate each other. I would suggest that the
portal site use SSL (with a certificate -- who is the issuer for this
certificate?) and the content-site authenticate using a password

Is this acceptable? Do people want a stronger or weaker security interaction
between content-site and portal?

(4) Exactly what are the negative and positive flows we will demo? These
need to be called out in full detail. Without negative flows (e.g.,
content-site does not
allow access to certain content) the general public is not going to
appreciate the demo very much.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC