OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-bindings message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Comparison of the two web browser discussions

A few comments on the relationship between the web browser
related material in [draft-sstc-bindings-model-0.4] and [Tim Moses]
 
These comments are not meant to definitive; instead, they are
a means for figuring out pieces common and distinct in both
proposals.
 
+++++++++++++++++++++++++++++++++++++++++++++++
 
(1).  Steps 10 - 14 (Tables 1 and 2 of [Tim Moses]) are detailed
realization of Scenarios 1-1 ("Pull") and Scenarios 1-2 ("Push")
from the Use-Case document. 
 
My belief is that the web browser
profile in [draft-sstc-bindings-document-model-0.4] more-or-less
provides an adequate solution for these cases (actually, the
"push" case is currently missing from
[draft-sstc-bindings-document-model-0.4], 
but adding it is straightforward). 
 
 
(2). Table 3 describes the following situation: the user travels from
one protected site (Protected site 1) to another, called Protected site 2.
(in the use-case document the term destination site is used instead
of protected site). We would also like Protected site 2 to enjoy the
benefits of prior authentication at the Authentication server.
 
The solution proposed in in Table 3 is that Protected site 1 should
be able to inform Protected site 2 about the location of the (shared) 
Authentication server. Protected Site 2 can then re-direct to the
authentication service and using the steps described in (1) above,
obtain an assertion. 
 
QUESTION: is it proposed that this additional
interaction between Protected site 1 and 2 be modeled within SAML?
 
(3). Section 1.1 ("Cross-domain Operation") describes an additional
variation on (2), wherein an intermediary ("local authentication server")
plays a role in the re-direct protocol between Protected Site 2 and
the original authentication server.
 
QUESTION: are there additional requirements here that need to
be modeled in SAML bindings?
 
 
- prateek
 
   
 
 
 
 
 
 
 
 
 
 
 
[Tim Moses]
(
http://lists.oasis-open.org/archives/security-bindings/200106/msg00008.html
<http://lists.oasis-open.org/archives/security-bindings/200106/msg00008.html
> ).

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC