[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Comment on sstc-saml-glossary-2.0 (also c losesAI #0114)
Scott Cantor wrote on 3/12/2004, 7:45 PM: > > The SP isn't really affected either way, since he can throw the > value away even if the IdP does create it. The user obviously > is affected and should be able to tell the IdP "yes" or "no". I > don't see how putting a value in a request from the SP impacts > the user's ability to do this. It seemed to me to be a UI > optimization to allow the SP to ask the question and tell > the IdP what the user said, which is why I phrased it as a > consent distinction. It's not just that. It's that you're saying if an SP wants to perrform an authentication check they must also initiate a federation whether they want to or not. While I think that many SPs will want to do a federation, I think it is very bad to require that behavior in the API. If we're concerned about bytes on the request, then have a parameter that indicates whether or not the SP wants to federate and have it default to "true" if not specified. Just to give a bit of history here, I'm the one who pushed Liberty to have a combined auth & Fed request because of the optimization of doing both in one call. However I think it is very bad to force that behavior. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]