[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Sessions and SSO.
Hi, I do agree with your view of the situation, I think Scott though got the point I was trying to make. Thanks. Giuseppe. -----Original Message----- From: Conor P. Cahill [mailto:concahill@aol.com] Sent: 28 October 2005 12:55 To: Scott Cantor Cc: Sarno, Giuseppe [MOP:GM15:EXCH]; saml-dev@lists.oasis-open.org Subject: Re: [saml-dev] Sessions and SSO. Scott Cantor wrote on 10/28/2005, 7:06 AM: > Giuseppe Sarno wrote: > > In few words SAML is not, actually, really, facilitating SSO. SSO is > > actually facilitated by some other mean (session management between > user > > and IDP). > > > > Is this correct ? Am I missing something ? > > Yes, that's correct. The SSO profile is more accurately described as an > HTTP authentication profile of SAML. SSO is out of scope except insofar > as specific processing rules will occasionally preclude SSO (ForceAuthn). I think we're deep into the nuances of the interpretation of English here (a bad place to be in many cases), but I think it isn't as clear cut as a yes/no answer. First in discussing SSO, one could argue that authenticating at one party (the IdP) and using that authentication at another party (the SP) is SSO, even if you have to perform the authentication steps every time an SP requests an assertion. Alternatively, one could take the interpretation that you seem to have (that SSO requires a single authentication event to be used at multiple relying parties (SPs)). Secondly the term "facilitates" is open to interpretation as well: One could argue that SAML 2.x "facilitates" SSO by provding a means for one party (the IdP) to explain to another other party (the SP) how they (the IdP) authenticated the user. As Scott did above, one can also reasonably argue that since SAML does not address in any way how the asserting party (the IdP) determines if the user is "authenticated" nor does SAML address whether or not a particular "authentication event" could be reused. My point in all this is that people do talk about SAML in terms of SSO and depending upon your interpretation of the terms and the meaning you derive from them, this could be correct or not. Personally I think a reading that says that SAML does not facilitate SSO is a bit too narrow, but it isn't a big deal. The key is that you can implement very good SSO systems ontop of SAML and use the SAML protocols as the wireline interfaces between the parties involved in such a system. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]