RE: [saml-dev] SAML Elevator Speech

Roger,

Your choice of questions is a good selection for the elevator conversation. It highlights two operations, authentication and authorization.

However, my band wagon goes along the lines of acknowledging that SAML is just a transport of information when it comes to authorization. What those attributes are can be signed and sealed, but that ends it. (Unless you are in a closed company environment and you know any requests come from YOUR authorizer who knows before hand what your service attributes are.)

I may very well have different business rules required for authorization of services x, y and q32. So only the service provider knows what authority to make the authorizing request of. SAML has the requestors (usually user) attributes, the provider has the service attributes and the authority can assess the combination. That can not be prehandled (In My humble Opinion.)

Michael A. Barnhart

Technical Data Integrity - System Architect

817-763-3372

michael.a.barnhart@lmco.com

From: Costello, Roger L. [mailto:costello@mitre.org]
Sent: Friday, April 21, 2006 8:33 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] SAML Elevator Speech

Hi Folks,

I am trying to boil down SAML to its essence. Below is what I’ve come up with.

SAML Elevator Speech

A service provider can ask an authority one of these questions:

Have you authenticated this ____ subject?
For this ____ subject, what are his values for these ____ attributes?
Should this ____ subject be allowed to take these ____ actions on this ____ resource?

An authority can make these statements (assertions):

This ____ subject was authenticated on this ____ datetime, using this ____ mechanism.
This ____ subject has this ____ value for this ____ attribute.
For this ____ subject, taking this ____ action on this ____ resource, the decision is ____.

Is this an accurate assessment of what you can do with SAML? Is it complete? /Roger

saml-dev message