RE: [security-services] Distributed transaction scenario (and SAM LBasics slides)

["Mishra, Prateek" <pmishra@netegrity.com>]

Title: RE: [security-services] Distributed transaction scenario (and SAML Basics slides)

Hal,

 

you have a misunderstanding of the distributed transaction scenario. I would urge you

to review carefully Eve's larger presentation which includes slide 53 as one small

piece. It clearly motivates and clarifies slide 53.

 

A key reason to bring in SAML in this context is when the sender and receiver

do NOT have direct knowledge of each other. Often the receiver is known to the sender

but not vice-versa. In such a case, the sender may interact with an authority trusted by

the receiver and obtain one or more assertions (of any type). These assertions may then

be attached to a SOAP message and sent to the receiver. The receiver is able to process

the business message in the context of the attached assertions. There is also a more

symmetric case where sender also has no knowledge of the receiver, which I believe is also

called out in one of Eve's slides.

 

If the sender and receiver have direct knowledge of each other (keys, certificates, identity)

then bringing SAML into the picture adds very little additional value.

 

- prateek

-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Tuesday, June 25, 2002 10:21 AM
To: 'Eve L. Maler'
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] Distributed transaction scenario (and SAM L Basics slides)

Looking at slide 53. I don't think it is wrong, but I believe the more common case would be to simply provide an Attribute Assertion with some Subject Confirmation Method that the recipient can use.

There would be no real need for SSO or to set up a distributed session. The PDP just needs to know the user's attributes. Assuming the user can arrange to sign the SOAP transaction, he or she should be able to use a signature for subject confirmation method.

Hal

> -----Original Message-----
> From: Eve L. Maler [mailto:eve.maler@sun.com]
> Sent: Tuesday, June 11, 2002 1:59 PM
> To: Eve L. Maler
> Cc: security-services@lists.oasis-open.org
> Subject: Re: [security-services] Distributed transaction scenario (and
> SAML Basics slides)
>
>
> Yikes, let's try attaching the thing...
>
> Eve L. Maler wrote:
> > Slide 53 is the most directly relevant one, but I included
> the whole
> > thing because I've been periodically posting this
> presentation anyway...
> >  This slide shows the motivation for attaching authentication and
> > attribute assertions to a payload containing a purchase
> order.  Please
> > comment on whether there are additional scenarios that
> would deviate
> > from this relatively simple flow.
> >
> > By the way, if anyone sees anything inaccurate in the
> examples or text
> > of the preso as a whole, please let me know because I
> deliver this talk
> > relatively often and try to keep it up to date.
> >
> > Thanks,
> >
> >     Eve
>
>
> --
> Eve Maler                                    +1 781 442 3190
> Sun Microsystems XML Technology Center   eve.maler @ sun.com
>