Subject: RE: [saml-dev] SAML, trust and WS.

> SAML provides capability for SSO and Delegation (via specific elements
> in the assertion).

No. SAML provides a core spec that can do lots of things. SAML also includes
a profile, supported by many products that does web SSO. That's it. There
are no profiles for delegation, and so if you do it, you're on your own
right now.

> SAML DOESN'T provide the capability (in a standard way - through
> profiles) for a SP to query or ask for one Assertion or the other. (The
> only assertion currently supported in the profiles is the SSO one.)

See above. Yes, you can request SSO. Since there are no profiles for
delegation, there's no way to "ask" for that either.

> The important bit which I'm not too sure about is the following:
> the only difference between the two assertions is really the Subject
> confirmation bit (in the delegation case we need a holder of key or
> sender vouches).
> And the difference at the profile level is the capability to specify the
> assertion required.

The difference is also to define what's in the assertion in the first place.
Yes, using holder of key is a logical way to do delegation, but it's
probably not the only way, and there are certainly a lot of other details to
it, potentially. The paper from Virginia for example bears little
resemblance to mine.

> This might be too simplistic but, is this correct ? what are other
> things missing ? 

I would say that it's all missing. If you want to do delegation *today*, and
not be inventing stuff, you basically have Liberty WSF. That's it. Whether
Liberty qualifies as a standard depends on your point of view, but it's
certainly got more behind it than just an academic paper or my hand-waving.

-- Scott

