[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] One token per endpoint-address?
Is it necessary? Well, no. But, there are a couple of things that would influence this. Most token issuers are probably populating the tokens with an audience restriction in order to convey that the assertion is only meant for a particular service or set of services. So, if the issuer indicates that an assertion is only meant for services A & B you shouldn't be sending it to C (and C shouldn't accept it). Another aspect that impacts this would be the content of the assertion. If the assertion contains sensitive information (e.g. a non-opaque name identifier or user attributes), then the issuer may want to issue different assertion for different services in order to show each service only the minimal amount of data that they require. This isn't to say that a token can't be used with more than one service, but instead that you really need to work with the token issuer to determine the set of services with which a token could be used. Christian Mielke wrote: > Hi, when I have different web-services which all trust the same > security token services which provides SAML 1.1 tokens, is it > neccessary that a client must obtain one token for each service? Or > is it sufficient when obtaining one token which can be used for all > services that trust the security token service? With kind regards > Christian > -- SWITCH Serving Swiss Universities -------------------------- Chad La Joie, Software Engineer, Security Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland phone +41 44 268 15 75, fax +41 44 268 15 68 chad.lajoie@switch.ch, http://www.switch.ch
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]