OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] One token per endpoint-address?

Is it necessary?  Well, no.  But, there are a couple of things that 
would influence this.

Most token issuers are probably populating the tokens with an audience 
restriction in order to convey that the assertion is only meant for a 
particular service or set of services.  So, if the issuer indicates that 
an assertion is only meant for services A & B you shouldn't be sending 
it to C (and C shouldn't accept it).

Another aspect that impacts this would be the content of the assertion. 
  If the assertion contains sensitive information (e.g. a non-opaque 
name identifier or user attributes), then the issuer may want to issue 
different assertion for different services in order to show each service 
only the minimal amount of data that they require.

This isn't to say that a token can't be used with more than one service, 
but instead that you really need to work with the token issuer to 
determine the set of services with which a token could be used.

Christian Mielke wrote:
> Hi, when I have different web-services which all trust the same
> security token services which provides SAML 1.1 tokens, is it
> neccessary that a client must obtain one token for each service? Or
> is it sufficient when obtaining one token which can be used for all
> services that trust the security token service? With kind regards 
> Christian

Serving Swiss Universities
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad.lajoie@switch.ch, http://www.switch.ch

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]