[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Any common identity creation profile?
On 3/29/12 6:36 PM, "Will Hartung" <email@example.com> wrote: > >The issue we have is that there's no way for an administrator of the >local application to do any provisioning of users before they log in >because the application has never seen the user before. >So, we want to create a process to push identities out to the compatible >applications, so that will be possible. How would an administrator of a local application have any access to the IdP to do this, and how would he/she signal which user(s) were meant? And is it really efficient to do this one at a time? I think SPML was meant to be the way to wrap SAML-based representations of users for more efficient push operations like that. Using assertions just doesn't map well to any notion of provisioning in bulk. >My question is simply if there's an existing profile in common use I >could leverage already, and/or any pointers on how to leverage a SAML >assertion in my own payload. Can I simply make my own RequestType that >extends RequestAbstractType, and add an Assertion element to the request? >Is that the best way to do this? There was a ChangeNotify protocol proposal that probably has some overlap with something you're thinking of. It essentially signals that some protocol flow is available, push or pull, to move user data around. I suppose industry-wise, there's SCIM, which doesn't seem much more than a reinvention of batch feeds to me, but I'm sure others will advocate for that. -- Scott