OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Days late and dollars short, comments on "entity" terminology

> "Indicates that the content of the element is the identifier of an 
> entity that provides SAML-based services (such as a SAML authority, 
> requester, or responder) ..."

Fine by me.

> I guess I'm confused, then, because on line 2050, "presenter" is 
> specially defined as distinct from "confirming entity".

Potentially distinct, but 2050 is also talking about the entity that
presents an AuthnRequest to the IdP. But actually the presenter (once he
turns around and delivers the Response) is generally also a confirming
entity as well. Around 2309, you'll see this text:

"The request presenter should, to the extent possible, be the only entity
able to satisfy the <saml:SubjectConfirmation> of the assertion(s)."

In other words, the presenter is generally also a confirming entity (or can
be). And in fact it is one in the browser use case (the presenter is the

But this is beside the point since the subject confirmation text is talking
about an entity presenting an assertion. I'm happy to use a different word
there (Jeff uses "wield", but I always picture a sword).

> The specific question I would raise is: Is a SAML V1.x "authentication 
> authority" (which was specifically not a thing in charge of actual 
> authentication on request) a SAML V2.0 "identity provider", or not? 

Not to me it isn't. Nor is a SAML 2.0 authn authority one *unless* it also
supports this protocol.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]