OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Stateless Conformity To SAML

> Nothing requires that the Name ID Management service endpoints be  
> co-located with the SSO consumer endpoints, so I don't see that  
> deploying a read-only SAML consumer at an enforcement point on the edge  
> of the network precludes deploying a Name ID Management capability  
> somewhere else.

As I understood it, once you get a change message, you're supposed to modify
any existing session state to reflect the change. IOW, the LogoutRequest
that might come next from the IdP could have the new NameID in it.

If so, in principal it could be a different endpoint, but there's clearly
some communication required that might undermine such a separation.

> In any case, my only point was that it seems fair to require that  
> systems that ARE stateful (ie persistently record name identifiers  
> received via SSO assertions, aka record federations in-band) also  
> support Name ID Management. Systems that are stateless, or that require  
> name identifier mappings (aka federations) to be managed out-of-band,  
> need not support Name ID Management.

Meaning, I guess, having a lower-order class of SP and IdP that we somehow
define in terms of that.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]