OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Inclusion of Federated Name RegistrationProtocolin SAML 2.0

> I would like to voice my concerns about the addition of this material
> (Section 3.5 in core-06) to the SAML 2.0 materials. My sense is that this
> was added at the same time when the AuthNRequest/AuthNResponse material
> added from ID-FF 1.2. However, we have not discussed this material and its
> relevance to SAML 2.0.

It was added a revision earlier than that material. The Federation
Termination messages were added in the latest draft. It's main relevance to
me is on the IdP side, providing a way to refresh identifiers to maintain
their privacy semantics.

> I have not been able to understand the use-case for this protocol

See above for my use case.

> At best it seems to represent some kind of completeness consideration
> (having introduced IdP generated opaque handles for account linking, we
> should also permit their update from SPs?). I can see there maybe some
> use-cases that require its use but I would like this acknowledged before
> add this material to SAML 2.0.

The SP half of the protocol is indeed for those niche cases. I think in
ID-FF the ability for the IdP to refresh its identifier was added as an
afterthought, but I think that's actually the more useful half.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]