OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] =?UTF-8?B?UsOpZi4gOiBbc2FtbC1kZXZdIFJlOiBSw6lmLiA6?==?UTF-8?B?IFJlOiBbc2FtbC1kZXZdIFLDqWYuIDogUkU6IFtzYW1sLWRldl0gQXR0cmlidXQ=?==?UTF-8?B?ZVF1ZXJ5IDogd2h5IFNPQVAgYmluZGluZyA/?=

Scott, given Valérie's requirements, what do you think about a
front-channel binding for an attribute query request?

Scott Cantor wrote:
>> We have exactly the same requirement for "dynamically" obtaining
> information
>> from an IdP with user consent at the IdP here in New Zealand. 
> I don't see how it's the same if your problem can be solved at
> authentication time and theirs apparently can't. I agree with Valerie that
> if the requirement is to ask for information after login, it's silly to
> artificially perform another authentication to get the information.
>> I believe that submissions are currently in progress to the SAML 2
> technical
>> expert committee for a mechanism within the specification to permit the
>> dynamic requesting of information within the <AuthnRequest>.  I am not
> aware
>> of any timeframe or the whether the submissions will be accepted, but I
> hope
>> this helps.
> There's no timeframe because the person that offered to draft something
> hasn't done so. There is no submission that uses the required conventions
> and follows the norms that would be acceptable in an approved extension.
>> Other potential options (but not really recommended) could involve
>> specifying the required attributes as a String in the
>> <RequestedAuthnContext>.
> Obviously, that doesn't make much sense. We have an extension point, that's
> what you need to use if you develop something yourself.
>> The AttributeConsumerServiceIndex is another
>> option, but is a fairly indirect mechanism.
> It's no different than using a WS-SecurityPolicy document with Cardspace.
>> As a last resort you could
>> consider the use of SAML <Extensions> in the <AuthnRequest>, but I don't
>> know if that would suit your model either?
> I'm not sure if you're clear on this, but if something "official" gets
> drafted, that's what it will be. There is no other place to do it (within an
> AuthnRequest).
> But Valerie's problem is different, and I would agree that using a query
> through the browser probably makes more sense.
> -- Scott
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

Serving Swiss Universities
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad.lajoie@switch.ch, http://www.switch.ch

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]