OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Groups - draft-sstc-nameid-05.pdf uploaded


Scott,

Item 1:
The document uses the terms "identity provider" and "authentication authority".  Only "identity provider" is defined in the Definitions section, and the definition refers to providing "Principal authentication".  I am not clear whether or not these are used
interchangeably or are intended to specifically reference different services.

Item 2:
The document specifically states that federations "must" be explicitly consented to by the user.  I understand the implications if the "must" changes to a "should", but I am mulling a consideration inside the enterprise as follows:  The motivation of SSO inside an enterprise is to reduce costs by reducing account maintenance activities (which in turn is accomplished through reduction in the number of accounts and reduction in the number of password resets required).  In that case, allowing the user to chose not to federate accounts may well go against the cost motive of the enterprise (not always bad motives).  Assuming the enterprise will honor necessary privacy considerations and desire maintaining at least some degree of user satisfaction, it seems this would be a case where the enterprise may legitimately not allow for user opt-out.  I realize this would open the door to potentially inappropriate forced federation.

Affiliations would seem to be a means to address this internal enterprise need.  The disadvantage I see is it would force enterprise internal service providers to all adopt the same identity for the user.  Given the myriad of legacy systems in a large enterprise, synchronization of identities among systems is not always possible.

Do I understand this correctly?
Thoughts?

Mike

-----Original Message-----
From: cantor.2@osu.edu [mailto:cantor.2@osu.edu]
Sent: Monday, October 27, 2003 6:42 PM
To: security-services@lists.oasis-open.org
Subject: [security-services] Groups - draft-sstc-nameid-05.pdf uploaded


The document draft-sstc-nameid-05.pdf has been submitted by Scott Cantor
(cantor.2@osu.edu) to the OASIS Security Services TC document
repository.

Document Description:
Schema revisions, added glossary section.

Download Document:  
http://www.oasis-open.org/apps/org/workgroup/security/download.php/4029/
draft-sstc-nameid-05.pdf

View Document Details:
http://www.oasis-open.org/apps/org/workgroup/security/document.php?docum
ent_id=4029


PLEASE NOTE:  If the above links do not work for you, your email
application
may be breaking the link into two pieces.  You may be able to copy and
paste
the entire link address into the address field of your web browser.



To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/security-services/members/l
eave_workgroup.php.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]