OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] RE: [saml-dev] RE: Is a separate"ArtifactReceiver" required?

> I would support adding a minimal extension
> that supports flow from destination to source site. My
> question is whether it needs to be anything more than:
> (taken from
> http://lists.oasis-open.org/archives/security-services/200212/
> msg00001.html)

"Needs" is the key word here. It doesn't need to be anything more, but
in a real world implementation, one finds lots of reasons to want to do

Bob, is there a Web-ISO project document that discusses any requirements
in this area?

From my own experience, I can think of a few things:

- error/status information from the resource site
- customization hooks for the resource site
- optional feature control, such as bypassing single sign-on
- timestamp information for those willing to sync clocks helps detect
stale redirects (the "Back" button fix)
- ability to POST the redirect to allow session maintenance across form
POSTs (a critical issue that requires use of the POST profile to work)

None of that needs to be part of SAML, obviously, but I'd never deploy a
new SSO system that didn't at least plan to deal with things like that
at some point.

It's perhaps partly driven by the fact that "target first" is by far the
primary scenario at my organization.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC