saml-dev message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [saml-dev] Distributed IDP model
- From: <michael.mccormick@wellsfargo.com>
- To: <conor.p.cahill@intel.com>, <saml-dev@lists.oasis-open.org>
- Date: Wed, 9 Aug 2006 17:28:30 -0500
Title: Distributed IDP model
My thanks to Conor and Scott for commenting.
Some responses & clarifications appear in red
below.
I'm
not sure how "lightweight" you can be if you're including all the IdP
filled fields that can be in an assertion (essentially you end up sending over a
duplicate of the structure of an assertion and at that point, why not just
use the assertion format).
[McCormick, Mike] You may be right. Does SAML protocol
define a standard request=assertion / response=artifact type of
message?
Another point I would
like to make is that an awful lot of thought went into the design of the system
in SAML and much of it came from people with experience running large SSO
implementations... we solved many issues related to a well oiled system.
Your question makes me think that you think you can get around many of these
issues by delegating them to some other party; however, I'm not convinced that
this can be satisfactorily accomplished without implementing full SAML betweek
the IdP and the CIA.
For
example:
-
Can
the IdP (on it's own, or at the direction of the user) initiate a logout of
the user? If so you need the SLO protocols.
[McCormick, Mike] This is
not an issue for the community in question because there are no coordinated
logoff
requirements.
-
Similarly, if the RP initiates a logout, does the IdP find out about it
from the CIA?
[McCormick, Mike] See
above.
-
How
does the CIA get the NameID for the user (and does it get it in plain-text, or
does the IdP already encrypt it for the Relying Party)?
[McCormick, Mike] The user
name (and possibly other attribute data) will be passed on the call
from IDP to CIA in
step 2.
-
How
does the IdP send out nameID changes (NameID Management) to the Relying
Parties (is that through the CIA as well)?
[McCormick, Mike] This is
not an issue for the community in question because naming is based on
permanent UUIDs.
-
Who
keeps track of an existing authentication session at the Relying Party?
The IdP or the CIA or both?
[McCormick, Mike] This is not an issue for the community in
question because there are no coordinated session mgmt
requirements.
etc,
etc...
I
fear that any attempt to short circut these kinds of things opens up the
potential for the creation of secutity holes.
[McCormick, Mike] You may be
right but I'd like to see an example that's applicable to my
particular circle of trust. I believe there are applications and
communities for which this distributed IDP model can be safely
implemented. It would be great if SAML supported
us.
As
scott said, you can always treat the CIA as an internal implementation of the
IdP (and therefore ensure that the interfaces exposed by the IdP/CIA fullfill
the requirements of the SSO profile you're trying to implement).
[McCormick, Mike] Yes that's
exactly what we'll be forced to do if the SAML paradigm insists on
viewing the IDP and CIA as one logical entity and doesn't provide any standard
interfaces for their "internal" information
exchanges.
Conor
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]