OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Fw: First contact

Title: RE: First contact
Tim,
 
I understand,
This indeed a brain-dead solution. Does not scale.  Does not plug-and-play.
Only in shibboleth and similar scenarious that will work satisfactory although
I don't see why they should settle on systems requiring centralized
directories.  Not even their WAYF needs or benefits from being centralized
if properly designed.
 
The scenario we are planning require users belonging to millions of autonomous
organizations to auth* to each other.  URL breakage is a major
concern.
 
Another feature of our system:  If the signed auth* req coming from the
content site times-out (it has a validity stamp) because the user is slow
to authenticate to the source site, the system automatically refreshes
the auth-request without the user involvement.  Otherwise the user would get
a time-out error when redirecting.  Not everybody thinks that 2-hour time-outs
are satisfactory.  With our approach you don't have to change time-out
from a regular 20 min or less.
 
Anders
----- Original Message -----
From: Tim Moses
Sent: Friday, July 27, 2001 20:21
Subject: RE: First contact

Anders - I think the bit that is missing for you is how the SAML artifact identifies the location of the corresponding assertion.  One solution is proposed in the SAML Bindings draft.  However, this solution is not positioned as the only possible solution.  Furthermore, even this solution has not been formally accepted by the group - that discussion is yet to come.  The existing solution is to agree identifiers for parties on a bilateral basis.  This identifier is encoded in 32 bits of the artifact and each party is configured to translate the identifier into (for example) a URL.

Best regards.  Tim.

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Friday, July 27, 2001 12:12 PM
To: Tim Moses; OASIS SAML
Subject: Re: First contact


Tim

>snip
> In my mind, a Push version appears to have limited utility (that's a British phrase,
>which, when translated into American, comes out something like: "A Push version is brain-dead").

Interesting, if you studied the document I sent you I indirectly came to the same
conclusion of the Push version.  I.e. the Pull URL seems to be completely in the air.

Do *you* know where to get these?

Anders

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC