OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Sessions and SSO.

Please remove my email from your distribution list. I'm no longer subscribed to the saml-dev mailing list.

Héctor Leslie

From: "Conor P. Cahill" <concahill@aol.com>
To: "Scott Cantor" <cantor.2@osu.edu>
CC: "Giuseppe Sarno" <gsarno@nortel.com>, saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] Sessions and SSO.
Date: Fri, 28 Oct 2005 07:54:51 -0400

Scott Cantor wrote on 10/28/2005, 7:06 AM:

> Giuseppe Sarno wrote:
> > In few words SAML is not, actually, really, facilitating SSO. SSO is
> > actually facilitated by some other mean (session management between
> user
> > and IDP).
> >
> > Is this correct ? Am I missing something ?
> Yes, that's correct. The SSO profile is more accurately described as an
> HTTP authentication profile of SAML. SSO is out of scope except insofar
> as specific processing rules will occasionally preclude SSO (ForceAuthn).

I think we're deep into the nuances of the interpretation of English
here (a bad place to be in many cases), but I think it isn't as clear
cut as a yes/no answer.

First in discussing SSO, one could argue that authenticating at
one party (the IdP) and using that authentication at another party
(the SP) is SSO, even if you have to perform the authentication
steps every time an SP requests an assertion.

Alternatively, one could take the interpretation that you seem
to have (that SSO requires a single authentication event to be
used at multiple relying parties (SPs)).

Secondly the term "facilitates" is open to interpretation as well:

One could argue that SAML 2.x "facilitates" SSO by provding
a means for one party (the IdP) to explain to another other party
(the SP) how they (the IdP) authenticated the user.

As Scott did above, one can also reasonably argue that since SAML
does not address in any way how the asserting party (the IdP)
determines if the user is "authenticated" nor does SAML address
whether or not a particular "authentication event" could be reused.

My point in all this is that people do talk about SAML in terms
of SSO and depending upon your interpretation of the terms and
the meaning you derive from them, this could be correct or not.

Personally I think a reading that says that SAML does not
facilitate SSO is a bit too narrow, but it isn't a big deal.
The key is that you can implement very good SSO systems ontop
of SAML and use the SAML protocols as the wireline interfaces
between the parties involved in such a system.


This publicly archived list supports open discussion on implementing the SAML OASIS Standard. To minimize spam in the
archives, you must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Alternately, using email: list-[un]subscribe@lists.oasis-open.org
List archives: http://lists.oasis-open.org/archives/saml-dev/
Committee homepage: http://www.oasis-open.org/committees/security/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Join OASIS: http://www.oasis-open.org/join/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]