OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] RE: How to provide SAML assertions in RESTful services


>>  At another level it's nothing more than exchanging SAML for some
>> session token.  But it's happening within the framework of a standard
>> which is good for interoperability.
>
> I suppose so, but cookies predate OAuth, and are simpler, and a session
> based on TLS is much stronger than either of them.

No argument there.

>> The token is both issued and consumed by the same party (in the most
>> common use case anyway) and it is opaque to the client so it can
>> contain whatever that entity deems necessary in whatever format makes
>> the most sense for it.
>
> I don't think the token is consumed by the issuer when you split off the
> token issuer.

Not the issuer itself, true, but the controlling organization of both
the issuer and the service.   So the format must be standardized
within that domain but not a standard in the sense of an OASIS or IETF
standard.

> That demands a standard format, and now we're deep into the
> idiotic arguments about XML vs JSON, and I'm not going there.

I've got no interest in going there.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]