OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Stateless Conformity To SAML

> From: Greg Whitehead [mailto:grw@trustgenix.com] 
> In any case, my only point was that it seems fair to require that  
> systems that ARE stateful (ie persistently record name identifiers  
> received via SSO assertions, aka record federations in-band) also  
> support Name ID Management. Systems that are stateless, or 
> that require  
> name identifier mappings (aka federations) to be managed 
> out-of-band,  
> need not support Name ID Management.
> -Greg

Now we're onto something. I've come to agree with Prateek on this issue. We have a specific use case in SAML 2.0 for "attribute-based federation", which is just one example of SAML federation that is *not* done in the Liberty account-linking model (whether that account linking is dynamic or static).

I think it would be a bad idea to define "SAML conformant" to *only* cover the ID-FF use cases; there must be some way for a product that supports other use cases, such as attribute-based federation, to be conformant.

One possibility would be to have "conformance targets" that correspond to the existing SAML browser profiles/bindings, without the extra account linking features that came in with SAML 2.0

 - irving -

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]