[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Comment on sstc-saml-glossary-2.0 (also closes AI #0114)
> The two requests are essentially: > > a) if you can, please tell me who the user is > b) tell me who the user is, if they haven't yet > established a connection to me, initiate one > at this time. My view is merely that "please tell me who the user is" is either fulfilled or not. "Establish a connection" seems like a secondary interpretation of the result of (a) during a particular response that is beyond the scope of the protocol. > Those two statements are very different and the expectation > as to when an SP will do one vs the other are very > different (in many environments). I'm not disputing that (b) is significant, I'm only questioning whether it's significant to the protocol in the interest of making sure it's as simple as possible in light of the generality that SAML has to have. > You may not have such differentiation in your environment, but > that doesn't mean that you should build the protocol so that > it prohibits others from having that distinction. Well, no, I freely admit I see no value in it from the SP side except for the UI. So I'm just trying to understand the use case enough to know how to build the protocol. So far the only use case presented (from Greg) is met by the current proposal. However, I will add a Federate flag to samlp:NameIDPolicy to meet your requirement the next time the request protocol is updated. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]