OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Stateless Conformity To SAML

Another way to look at this is from the point of view of the peer  
implementation. That is, if my IDP implementation is talking to your SP  
implementation, and I want to ensure that you have terminated any  
persistent record of a federation for a given user, then I need to know  
that either:
a) you support Name ID Management and will terminate any persistent  
record for a given user if I tell you to do so (which, I guess, could  
be a no-op if you don't store persistent records)
b) you don't support Name ID Management, but you don't store persistent  
records of federations either

Where we would run into trouble, I think, is if an implementation  
stores persistent records of user federations but doesn't support Name  
ID Management (federation termination in particular).


On Jul 30, 2004, at 12:25 PM, Steve Anderson wrote:

> I can appreciate that, but I don't think that will be the universally  
> held
> view.  And for those that don't, I think this is a problem.
> Overall, it's an issue of insufficient granularity in the conformance  
> claims.
> I understand we're trying to move away from too much granularity, but  
> this
> has swung to the opposite extreme, IMO.
> --
> Steve Anderson
> OpenNetwork
> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Friday, July 30, 2004 2:57 PM
> To: Steve Anderson; security-services@lists.oasis-open.org
> Subject: RE: [security-services] Stateless Conformity To SAML
>> And that's my point -- a conformance claim should offer a helpful  
>> clue,
>> and at the very least, not be misleading.  Claiming conformance to
>> Name ID management messages seems very misleading if the product  
>> doesn't
>> have any notion of "remembering" users.
> But let's be clear...I don't believe it's always the job of the SAML  
> product
> to do this in general. It's the job of the product to inform the  
> surrounding
> infrastructure that the change happened. And I believe that that's how  
> at
> least some people would expect to deploy it. It's certainly how I  
> intend to
> (I do wear both hats).
> In such a case, my product isn't remembering the change (except  
> perhaps to
> modify some transitory state), but I would claim that it's perfectly
> reasonable for me to claim conformance and that it's a useful claim  
> and not
> at all misleading. That's the crux of my argument.
> -- Scott
> To unsubscribe from this mailing list (and be removed from the roster  
> of the OASIS TC), go to  
> http://www.oasis-open.org/apps/org/workgroup/security-services/ 
> members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]