OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Re: [saml-dev] One token per endpoint-address?

Thanks for your very fast reply.
In this case, I want to use SAML only for simple AuthenticationStatements. I use them as endorsed supporting tokens. So for me it would be the best when a client gets a token and can use for every web-service on the server. 

Problem is the WCF implementation of Microsoft which calls the STS for each web-service, means a generated WCF client requests for each service a token (AppliesTo in the request).

----- original Nachricht --------

Betreff: Re: [saml-dev] One token per endpoint-address?
Gesendet: Do, 06. Mär 2008
Von: Chad La Joie<chad.lajoie@switch.ch>

> Is it necessary?  Well, no.  But, there are a couple of things that 
> would influence this.
> Most token issuers are probably populating the tokens with an audience 
> restriction in order to convey that the assertion is only meant for a 
> particular service or set of services.  So, if the issuer indicates that 
> an assertion is only meant for services A & B you shouldn't be sending 
> it to C (and C shouldn't accept it).
> Another aspect that impacts this would be the content of the assertion. 
>   If the assertion contains sensitive information (e.g. a non-opaque 
> name identifier or user attributes), then the issuer may want to issue 
> different assertion for different services in order to show each service 
> only the minimal amount of data that they require.
> This isn't to say that a token can't be used with more than one service, 
> but instead that you really need to work with the token issuer to 
> determine the set of services with which a token could be used.
> Christian Mielke wrote:
> > Hi, when I have different web-services which all trust the same
> > security token services which provides SAML 1.1 tokens, is it
> > neccessary that a client must obtain one token for each service? Or
> > is it sufficient when obtaining one token which can be used for all
> > services that trust the security token service? With kind regards 
> > Christian
> > 
> -- 
> Serving Swiss Universities
> --------------------------
> Chad La Joie, Software Engineer, Security
> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
> phone +41 44 268 15 75, fax +41 44 268 15 68
> chad.lajoie@switch.ch, http://www.switch.ch
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

--- original Nachricht Ende ----

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]