[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] InterOp Scenario Extensions draft-01
Not sure. Andrew do you want to follow through with this ? As I indicated earlier, Sun would probably be able to support this proposed scenario, but it all depends on how many other vendors would like to participate in this extension. Thanks Bhavna >From: "Mishra, Prateek" <pmishra@netegrity.com> >To: "'Andy Fetterer'" <afetterer@crosslogix.com>, "'Bhavna Bhatnagar'" <bhavna.bhatnagar@Sun.COM>, saml-dev@lists.oasis-open.org >Subject: RE: [saml-dev] InterOp Scenario Extensions draft-01 >Date: Fri, 10 May 2002 17:58:44 -0400 >MIME-Version: 1.0 > >Is there closure on the proposed scenario? I am not sure >I follow exactly what is being proposed here. A re-spin would >be helpful, I could then add it to the official demo. doc. > >- prateek > > >-----Original Message----- >From: Andy Fetterer [mailto:afetterer@crosslogix.com] >Sent: Thursday, May 09, 2002 12:56 PM >To: 'Bhavna Bhatnagar'; saml-dev@lists.oasis-open.org; Andy Fetterer >Subject: RE: [saml-dev] InterOp Scenario Extensions draft-01 > > > >Bhavna / Scott - > >Thanks for reviewing the document and making suggestions. > >In terms of how the attribute assertion is passed to the authorization >authority, would the third proposal make the most sense? I don't think that >the expiration range would have to be unreasonably long. > >I intended for the attribute to be required as part of the authorization >query (e.g. the receiver must be able to process it), but its use in >determining the response to the query was not required. My concern was that >not all authorization authorities would be able to support external >attributes but I agree that we the requirement I wrote can be strengthened. > > >That being said, should we require that the attribute be used in evaluation >or not pass the attribute as part of the query? I would prefer to use the >attribute since it presents a stronger demonstration of interoperability >between systems but would like to hear from the sub-group working on the >authorization queries. > >-Andrew > >-----Original Message----- >From: Bhavna Bhatnagar [ mailto:bhavna.bhatnagar@sun.com ><mailto:bhavna.bhatnagar@sun.com> ] >Sent: Thursday, May 09, 2002 8:49 AM >To: saml-dev@lists.oasis-open.org; afetterer@crosslogix.com >Subject: Re: [saml-dev] > >Andrew, >Thanks for writing this up. I have a few comments/suggestions embedded. Not >sure >if all can access the doc, since I edited it in staroffice. Here is >the text I have embedded: >AS part of the original specification by prateek what comes as the SSO >Assertion >during SSO has an authentication statement and the attribute statement >holding >the MembershipLevel attribute. Since there is no separate attribute >assertion >coming down as part of the SSO, one would have to either: >1.Make an attribute query to the AA, and on receving the attribute >assertion, >use that as Evidence when making the proposed Authz query. ( this does not >make >sense since the receiver of the SSO assertion already has the attribute >information) >2. Create an attribute assertion from the attribute statement received as >part >of the SSO Assertion and use that as Evidence. ( dont think this is SOAP >binding >though, someone please confirm) >3.Use the same SSO Assertion as received during the SSO, which also holds >the >attribute statement as the Evidence, but then this may have expired. We >could >keep the expiration range to be long enough so that the assertion is alive >for >the whole round trip demo. > >If its upto vendor to use/not use the attribute assertion, what's the point >of >making it ? > >We need to refine this part to choose one of the 3 options or any other >alternatives. I think option 3 is more viable. >Thoughts ? > > >Thanks > >Bhavna > >>Content-return: allowed >>Date: Wed, 08 May 2002 12:43:56 -0700 >>From: Andy Fetterer <afetterer@crosslogix.com> >>Subject: [saml-dev] >>To: saml-dev@lists.oasis-open.org >>MIME-version: 1.0 >>List-Owner: < mailto:saml-dev-help@lists.oasis-open.org ><mailto:saml-dev-help@lists.oasis-open.org> > >>List-Post: < mailto:saml-dev@lists.oasis-open.org ><mailto:saml-dev@lists.oasis-open.org> > >>List-Subscribe: < http://lists.oasis-open.org/ob/adm.pl ><http://lists.oasis-open.org/ob/adm.pl> >, >< mailto:saml-dev-request@lists.oasis-open.org?body=subscribe ><mailto:saml-dev-request@lists.oasis-open.org?body=subscribe> > >>List-Unsubscribe: < http://lists.oasis-open.org/ob/adm.pl ><http://lists.oasis-open.org/ob/adm.pl> >, >< mailto:saml-dev-request@lists.oasis-open.org?body=unsubscribe ><mailto:saml-dev-request@lists.oasis-open.org?body=unsubscribe> > >>List-Archive: < http://lists.oasis-open.org/archives/saml-dev/ ><http://lists.oasis-open.org/archives/saml-dev/> > >>List-Help: < http://lists.oasis-open.org/elists/admin.shtml ><http://lists.oasis-open.org/elists/admin.shtml> >, >< mailto:saml-dev-request@lists.oasis-open.org?body=help ><mailto:saml-dev-request@lists.oasis-open.org?body=help> > >>List-Id: <saml-dev.lists.oasis-open.org> >> > >________________________________________________________________________ >Bhavna Bhatnagar Sun Microsystems Inc. > >Identity Management group __o >Tel: 408-276-3591 _`\<,_ > (*)/ (*) > ________________________________________________________________________ > > ________________________________________________________________________ Bhavna Bhatnagar Sun Microsystems Inc. Identity Management group __o Tel: 408-276-3591 _`\<,_ (*)/ (*) ________________________________________________________________________
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC