OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] SAML, trust and WS.


> that bit of trust is for the VFS to lock down services to known clients,
> if required. Perhaps it's overkill. In effect the VLE is identifying
> itself to the VFS and trying to prove it's allowed to access the VFS
> services.

That just means you care about both parts of the delegation chain.

> If the VFS trusts the VLE then it can trust the IdP too, whose information
> is being transmitted by the VLE to the VFS.

No, you can't. That model just means all you care about is the VLE and the
VFS gives him carte blanche to assert anything about anyone at any time.

> The VLE is saying "I'm the VLE and if you need attributes for the user on
> whose behalf I'm working, here's their Subject and IdP location

That's the "current" model in these kinds of systems because the portal is
just "root". You needn't bother with SAML.

> That's why I don't want transients as they'll just timeout.

That's immaterial. You should have a security token from the IdP that is
given to the VFS by the VLE and it can timeout anyway. Not to mention that
all identifiers can "timeout". I've seen 10 messages today about OSU users
that changed their username. It's just a question of degree.

> To compare with Scott's idea of an IdP giving a transient to an SPa for
> transmission to SPb. The transient becomes the SAML avatar in the loopback
> scenario. So it has to be a persistent identifier, that travels among
> external entities.

That destroys my privacy, nor is it a security token, it's just an
attribute. And my idea wasn't to use a transient ID. It was to show how one
would work. In practice, I would think federated IDs are more likely in the
future, and they have to be per-SP and encrypted for each hop. That forces a
callback to the IdP anyway, and it turns them back into transients. That's
just the way this stuff tends to work.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]