OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SAML Elevator Speech



A service provider can ask an authority one of these questions:


  1. Have you authenticated this ____ subject?  
I tend to prefer to more simply say "hey, who is this guy?" (yean not the most politically correct way to say it).  
Although more accurately it is "Hey, can you tell me who is this person and, if so, how you authenticated them and, btw, I would prefer that you make sure that they have been authenticated this way and, btw,  I (the SP) would/wouldn't prefer that you interact with the user in order to possibly get an answer to this question"  (yeah, a bit more complex, hence I like the "who is this guy").
Of course there's also:
  • Hey, can you reauthenticate this guy right now
  • Hey can you authenticate this guy in this (presumably) "stronger" way (e.g. the user was authenticated with a username/password and the SP asks for the user to be authenticated with a smartcard or, perhaps, even simply "something stronger than a username/password"

An authority can make these statements (assertions):


  1. This ____ subject was authenticated on this ____ datetime, using this ____ mechanism.  
"mechanism" can be more than just "how you authenticated" but also include some of the policy descriptions behind the mechanism (such as required password length, password "entropy", etc.).
Also, while SAML does still have remnamts of authorization decisions, I think the preference moving foward is to use XACML statements within a SAML assertion.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]