OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Any common identity creation profile?

On 3/29/12 6:36 PM, "Will Hartung" <willh@mirthcorp.com> wrote:
>The issue we have is that there's no way for an administrator of the
>local application to do any provisioning of users before they log in
>because the application has never seen the user before.

>So, we want to create a process to push identities out to the compatible
>applications, so that will be possible.

How would an administrator of a local application have any access to the
IdP to do this, and how would he/she signal which user(s) were meant?

And is it really efficient to do this one at a time?

I think SPML was meant to be the way to wrap SAML-based representations of
users for more efficient push operations like that. Using assertions just
doesn't map well to any notion of provisioning in bulk.

>My question is simply if there's an existing profile in common use I
>could leverage already, and/or any pointers on how to leverage a SAML
>assertion in my own payload. Can I simply make my own RequestType that
>extends RequestAbstractType, and add an Assertion element to the request?
>Is that the best way to do this?

There was a ChangeNotify protocol proposal that probably has some overlap
with something you're thinking of. It essentially signals that some
protocol flow is available, push or pull, to move user data around.

I suppose industry-wise, there's SCIM, which doesn't seem much more than a
reinvention of batch feeds to me, but I'm sure others will advocate for

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]