[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Distributed IDP model
I'm not sure how "lightweight" you can be if you're including all the IdP filled fields that can be in an assertion (essentially you end up sending over a duplicate of the structure of an assertion and at that point, why not just use the assertion format).
[McCormick, Mike] You may be right. Does SAML protocol define a standard request=assertion / response=artifact type of message?
For example:
Can the IdP (on it's own, or at the direction of the user) initiate a logout of the user? If so you need the SLO protocols.
[McCormick, Mike] This is not an issue for the community in question because there are no coordinated logoff requirements. Similarly, if the RP initiates a logout, does the IdP find out about it from the CIA?
[McCormick, Mike] See above. How does the CIA get the NameID for the user (and does it get it in plain-text, or does the IdP already encrypt it for the Relying Party)?
[McCormick, Mike] The user name (and possibly other attribute data) will be passed on the call from IDP to CIA in step 2. How does the IdP send out nameID changes (NameID Management) to the Relying Parties (is that through the CIA as well)?
[McCormick, Mike] This is not an issue for the community in question because naming is based on permanent UUIDs. Who keeps track of an existing authentication session at the Relying Party? The IdP or the CIA or both?
[McCormick, Mike] This is not an issue for the community in question because there are no coordinated session mgmt requirements.
I fear that any attempt to short circut these kinds of things opens up the potential for the creation of secutity holes.
[McCormick, Mike] You may be right but I'd like to see an example that's applicable to my particular circle of trust. I believe there are applications and communities for which this distributed IDP model can be safely implemented. It would be great if SAML supported us.
As scott said, you can always treat the CIA as an internal implementation of the IdP (and therefore ensure that the interfaces exposed by the IdP/CIA fullfill the requirements of the SSO profile you're trying to implement).
[McCormick, Mike] Yes that's exactly what we'll be forced to do if the SAML paradigm insists on viewing the IDP and CIA as one logical entity and doesn't provide any standard interfaces for their "internal" information exchanges.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]