saml-dev message

Subject: Re: [saml-dev] SAML, trust and WS.

From: Tom Scavo <trscavo@gmail.com>
To: alistair@smo.uhi.ac.uk
Date: Wed, 21 Dec 2005 09:11:37 -0500

On 12/21/05, Alistair Young <alistair@smo.uhi.ac.uk> wrote:
>
> Scott's example is for SPa to request something from an IdP for another
> entity down the line.

AFAICT, the exchange between SPa and the IdP is to (1) bind SPa's key,
and (2) produce a NameID that SPb can use to query attributes.

> So the IdP has to keep generating transients.

Indeed!

> I don't like this. It's not "compact" enough for me. I just like the idea
> of each SP taking care of it's own requirements.

An SP can't just decide on its own to delegate.  The right to delegate
must be granted by the user (via the IdP).  An SP in the chain must be
bound to the chain by an entity preceding it in the chain.

> Tom - I'm not sure what you mean by the NameIdentifier issue.

Well, in the VLE/VSF scenario, tell me how a NameID is going to find
its way from the IdP to VFS.  More importantly, what are the
properties of this identifier?

Tom

Follow-Ups:
- RE: [saml-dev] SAML, trust and WS.
  - From: "Scott Cantor" <cantor.2@osu.edu>

References:
- Re: [saml-dev] SAML, trust and WS.
  - From: Tom Scavo <trscavo@gmail.com>
- RE: [saml-dev] SAML, trust and WS.
  - From: "Scott Cantor" <cantor.2@osu.edu>
- RE: [saml-dev] SAML, trust and WS.
  - From: "Alistair Young" <alistair@smo.uhi.ac.uk>