Re: [saml-dev] RE: How to provide SAML assertions in RESTful services

[Scott Cantor <cantor.2@osu.edu>]

On Jun 25, 2010, at 4:32 PM, "Moehrke, John (GE Healthcare)" <John.Moehrke@med.ge.com> wrote:

> e) The Service-Provider needs the user-identity for Audit Logging
> purposes

It may need to know it, but does it need to know that the user is a party to the transaction, or is it simply data that is part of the transaction like any other part of it?

> f) The Service-Provider may need the user-identity for access control
> (RBAC) enforcement

Yes, but are you trusting the client to tell you that identity, or does the user need to be a secure party to the flow?

> g) We want to use SAML because the client (b) may be in a different
> organization than (f). They have a system-to-system trust relationship,
> but this does not extend to being allowed to do LDAP queries from one
> organization to the other. So we would like the SAML assertion power to
> carry these additional user properties, including LOA.

That just sounds like data to me. Perhaps data that's signed itself by some authority, but with no security properties relevant to SAML. Or OAuth for that matter.

> So, somehow we need to carry the SAML assertion on the RESTful API.

I think it's just app content.

> Are we using SAML wrong?

No, just somewhat superfluously.

> 

What I was trying to figure out was why OAuth would be a candidate. I don't think it is, because your security here is server to server, not Token based.

-- Scott