OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Distributed IDP model


Title: Distributed IDP model
My thanks to Conor and Scott for commenting.  Some responses & clarifications appear in red below.


From: Cahill, Conor P [mailto:conor.p.cahill@intel.com]
Sent: Wednesday, August 09, 2006 3:33 PM
To: McCormick, Mike; saml-dev@lists.oasis-open.org
Cc: White, Joshua; Palmer, Pete; Laracuente, Israel; Rudolph, Mike
Subject: RE: [saml-dev] Distributed IDP model
I'm not sure how "lightweight" you can be if you're including all the IdP filled fields that can be in an assertion (essentially you end up sending over a duplicate of the structure of an assertion and at that point, why not  just use the assertion format).
[McCormick, Mike] You may be right.  Does SAML protocol define a standard request=assertion / response=artifact type of message? 
 
Another point I would like to make is that an awful lot of thought went into the design of the system in SAML and much of it came from people with experience running large SSO implementations... we solved many issues related to a well oiled system.  Your question makes me think that you think you can get around many of these issues by delegating them to some other party; however, I'm not convinced that this can be satisfactorily accomplished without implementing full SAML betweek the IdP and the CIA. 
 
For example:
etc, etc...
 
I fear that any attempt to short circut these kinds of things opens up the potential for the creation of secutity holes.
[McCormick, Mike] You may be right but I'd like to see an example that's applicable to my particular circle of trust.  I believe there are applications and communities for which this distributed IDP model can be safely implemented.  It would be great if SAML supported us.
 
As scott said, you can always treat the CIA as an internal implementation of the IdP (and therefore ensure that the interfaces exposed by the IdP/CIA fullfill the requirements of the SSO profile you're trying to implement).
[McCormick, Mike] Yes that's exactly what we'll be forced to do if the SAML paradigm insists on viewing the IDP and CIA as one logical entity and doesn't provide any standard interfaces for their "internal" information exchanges. 
 
Conor


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]