OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] RE: How to provide SAML assertions in RESTful services

> At some level that's true and I'll admit that I characterized it as a
> gateway approach - it's a natural step when you sell a gateway style
> product:)    But the authorization server doesn't necessary have to be
> a distinct entity, it could be an additional endpoint at the service.

It could, but that just adds a whole new protocol exchange without obviating
the need for SAML support in the service.

>  At another level it's nothing more than exchanging SAML for some
> session token.  But it's happening within the framework of a standard
> which is good for interoperability.

I suppose so, but cookies predate OAuth, and are simpler, and a session
based on TLS is much stronger than either of them.

> The token is both issued and consumed by the same party (in the most
> common use case anyway) and it is opaque to the client so it can
> contain whatever that entity deems necessary in whatever format makes
> the most sense for it.

I don't think the token is consumed by the issuer when you split off the
token issuer. That demands a standard format, and now we're deep into the
idiotic arguments about XML vs JSON, and I'm not going there.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]