OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] New high level SSO use cases

> Good document, but I have a question/comment. Is the user 
> deciding where the source site is which (s)he needs to 
> authenticate against ? I assume not, since the document 
> states in all scenarios " Destination site redirects the user 
> to a source site". If that's the case the picture for Use 
> case 1: between lines 64 and 65 should show somehow that its 
> a redirection and not self initiated call to authenticate to 
> source site, same for all the other UML flows, unless I have 
> not understood the flow correctly.

This is a fundamental issue with any target-first flow. That is to say, the target could implicitly know where to send the user, or
there has to be a user/user agent interaction of some sort, either at the target, or at some intermediary.

Shib calls this the WAYF (where are you from) function. In Liberty there are some cookie-based, shared-domain schemes used to
introduce the user's identity provider(s) to the target to facilitate the choice, but it's ultimately considered a fairly
context-dependent activity, I think.

I glossed over this in the first draft of the document, but that may be too much to gloss over.

I'll see if I can address that, possibly by next call or possibly not.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC