[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Stateless Conformity To SAML
> From: Greg Whitehead [mailto:grw@trustgenix.com] > > In any case, my only point was that it seems fair to require that > systems that ARE stateful (ie persistently record name identifiers > received via SSO assertions, aka record federations in-band) also > support Name ID Management. Systems that are stateless, or > that require > name identifier mappings (aka federations) to be managed > out-of-band, > need not support Name ID Management. > > -Greg Now we're onto something. I've come to agree with Prateek on this issue. We have a specific use case in SAML 2.0 for "attribute-based federation", which is just one example of SAML federation that is *not* done in the Liberty account-linking model (whether that account linking is dynamic or static). I think it would be a bad idea to define "SAML conformant" to *only* cover the ID-FF use cases; there must be some way for a product that supports other use cases, such as attribute-based federation, to be conformant. One possibility would be to have "conformance targets" that correspond to the existing SAML browser profiles/bindings, without the extra account linking features that came in with SAML 2.0 - irving -
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]