[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] W2a: SSO with Attribute Exchange
>The main change is to allow attribute statements in returned assertions >carried in an AuthNResponse. The current text in Section 3.2 refers to >authentication assertions (lines 512 and 444-445) which appears >to me to be in error. Looking at the remaining text, the intent appears to >have been to allow assertions with authentication statements to be returned. I'm not sure *we've* excised all those mistakes in wording yet. <grumble> data model <grumble> >This proposal would extend this to allow the occurrence of attribute >statements as well. ID-FF 1.2 does explicitly permit other statements "as defined by other specs". It just doesn't say what they might be. What's missing, IMHO, is control over the attribute statement in the AuthnRequest, which we can rectify fairly easily except that the thing rapidly stops fitting on the URL as you add this sort of useful thing... >The <NameIDPolicy> element in an AuthNRequest carries a hint about the type >of information being requested from the identity provider. The range of >values would be extended to include "attribute-based". In practice, that's really what "transient" means. Since by itself it tells you nothing about the principal, there's obviously some other source of information. In Liberty, it's typically a profile service. In SAML, I see no reason why that wouldn't be SAML attributes, which is in fact what Shibboleth does (and I think what you're after). But note that there's nothing to preclude using attributes *plus* a non-transient identifier. So I think a tweak to the AuthnRequest to capture this concept is still needed. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]