OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] SAML2HoKAP question


On Wed, May 20, 2009 at 4:50 AM, Josh Howlett <Josh.Howlett@ja.net> wrote:
>> >  Ok. So I assume that the NameID is used by the SAML issuer
>> to name an
>> > intermediate delegate who can wield the assertion as an
>> attesting entity?
>>
>> Yes, but this is just informational. You don't have to do
>> anything special to indirectly authenticate the delegate.
>> It's there in case you don't want to allow delegation (which
>> the condition does a much better job of ensuring, not to
>> mention supporting a chain of delegates).
>
> Ok, I understand now; thank you for the explanation.
>
> Perhaps its just me being dumb, but the spec might benefit from some
> additional text explaining how the condition should be processed.

Oh, sorry, but the condition Scott speaks of is profiled separately:

http://wiki.oasis-open.org/security/SAML2DelegationCondition

Currently, there's no relationship between the two profiles.  Maybe
there should be?

Tom


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]