OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Suggestion for conformance of NameIdentifier

Title: RE: [security-services] Suggestion for conformance of NameIdentifier

Cameron, just to touch on your comment about interop. I would think that persistent would be a mandatory identifier format. Therefore if persistent (and transient as you pointed out) are used, two implementations can interop. The other can be used in an interop iff their interpreted Name Identifier content is same (or some other way defined).


-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Tuesday, January 04, 2005 7:21 PM
To: 'Cameron Morris'; security-services@lists.oasis-open.org
Subject: RE: [security-services] Suggestion for conformance of

> Here is an idea.  We could state that as a minimum the SAML
> consumer must treat unrecognized NameIdentifier formats as
> transient.  No persistent data would be stored but SSO would
> still work without failing.  
> This way we have at least some guarantee of interoperability.
>  Then we could let the SAML providers chose any of the Name
> Identifier formats they want.  

I would have assumed this was implied, so I think the real problem is still
just defining what it means to conform. To me, supporting a format as a
consumer means nothing except that you can pass the value resulting from
SAML authentication to whatever is authenticated. Mapping it in any way (let
alone storing it) is out of scope.

There just have to be interfaces to appropriately support people that do
want to map/store the values, hook the ManageNameID protocol, etc. Anything
else, to me, is value-add (or rephrased, bringing out of scope elements in

I really just ask what people were doing before. Did nobody support the
Kerberos format without somehow assuming you had to be able to turn that
into a TGT or something?

-- Scott

To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: security-services-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]