OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Questions about SAML V2.0 Condition for Delegation RestrictionVersion 1.0


 

I am concerned that the spec as written does not provide enough information on how it would be composed.  Would it be possible to include some scenarios that explain how it could be used and demonstrate what the conditions would actually look like for those scenarios.

I have three scenarios that are rather vague, but I am trying to understand this at a very high level.  Would all (or any) of these scenarios be legitimate:

Scenario 1: An IDP issues an assertion to an SP.  The SP adds itself as a Delegate to this assertion and then forwards it onto a RP (strips off the IDP's signature and adds its own signature).  The RP then makes a decision based on the Delegate/IDP/Assertion Content/Signature.

Scenario 2: An IDP issues an assertion to an SP that includes a list of all Delegates the IDP trusts (including that SP itself).  The SP then fowards this assertion to another RP (the SP does not alter the original assertion in any way).  The RP then makes a deicsion based on all the Delegates/IDP/Assertion Content/Signature?  Was this RP also in the delegate list (would it need to be)? 

Scenario 3: An IDP issues an assertion to an SP that includes a list of all Delegates the IDP trusts (this list does not include that SP).  The SP will not forward this assertion, since he is not a delegate.

I realize this spec is just explaining how to represent Delegates and not defining how they are used, but without some sort of scenarios or examples, it feels inadequate.  Is a Delegate an issuer of assertions?  Would Delegates need to appear uniquely within the SAML 2 Entity Metadata for a federation.  If they do, is there a need for a new role descriptor type? 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]