OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Comment on sstc-saml-glossary-2.0 (also closes AI #0114)

> The two requests are essentially:
>     a) if you can, please tell me who the user is
>     b) tell me who the user is, if they haven't yet
>        established a connection to me, initiate one
>        at this time.

My view is merely that "please tell me who the user is" is either fulfilled
or not. "Establish a connection" seems like a secondary interpretation of
the result of (a) during a particular response that is beyond the scope of
the protocol.

> Those two statements are very different and the expectation
> as to when an SP will do one vs the other are very
> different (in many environments).

I'm not disputing that (b) is significant, I'm only questioning whether it's
significant to the protocol in the interest of making sure it's as simple as
possible in light of the generality that SAML has to have.

> You may not have such differentiation in your environment, but
> that doesn't mean that you should build the protocol so that
> it prohibits others from having that distinction.

Well, no, I freely admit I see no value in it from the SP side except for
the UI. So I'm just trying to understand the use case enough to know how to
build the protocol. So far the only use case presented (from Greg) is met by
the current proposal.

However, I will add a Federate flag to samlp:NameIDPolicy to meet your
requirement the next time the request protocol is updated.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]