OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Comment on sstc-saml-glossary-2.0 (also closesAI #0114)

Mishra, Prateek wrote on 3/11/2004, 6:23 PM:

 > The glossary currently defines "Identity Federation" as one means of
 > establishing "Account Linkage" --
 > [begin-def]
 > A method of relating accounts at two different providers that epresent
 > the same principal so that the providers can communicate about the
 > principal. Account linkage can be established through the sharing of
 > attributes or through identity federation.
 > [end-def]

In general, I have a problem with the entire use of the term "accounts"
in any federation discussion.  Federation really is the process of
two parties agreeing on a common handle for an entity.  What they do
with that handle (e.g. associate it with an account on their system)
is out of scope of the specifications and SAML.

I can envision many situations where a user does not have an account
on one of the parties (and perhaps both) and rather the handle is
used to access accounts at other parties (such as retrieving a zip
code from a profile service) without the need for establishiment
of an account at the provider.

Of course, as SSO initially rolls out, where users have local accounts
on most systems, the shared handle will be associated with the local
account and you can read that as a linked account.  I just don't want
to burn this into the spec as the way that things should be done or
that this is the only thing that can be done.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]