[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Agents and web services
Mr Alistair Young added the following comment to the sstc-saml-x509-authn-based-attribute-protocol-profile-2.0-draft-02.pdf document in the OASIS Security Services (SAML) TC Group. Would it be possible to expand on the part where the principal offers an X509 certificate to the SP? Does the IdP issue it on behalf of the principal after authentication? If so, why use an X509. Just use AuthenticationStatement. If the ConfirmationMethod is holder-of-key, how to stop malicious agents trawling an LDAP store, gathering X509s and authenticating to the SP as those users? The X509 profile is interesting in the agent scenario, where a service has to query attribute stores on behalf of a user. No HTTP user agent is involved, rather it's communication between web services, with authentication via X509. A use case is a VLE asking for student attributes from an ES enabled SRS to update group permissions. It would be done at the agent level and the SRS will have to have some way to authenticate the agent and verify that it has enough permissions (defined at it's IdP) to ask for the data. View Document Details and Comments: http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=11323 Download Document: http://www.oasis-open.org/apps/org/workgroup/security/download.php/11323/sstc-saml-x509-authn-based-attribute-protocol-profile-2.0-draft-02.pdf PLEASE NOTE: If the above links do not work for you, your email application may be breaking the link into two pieces. You may be able to copy and paste the entire link address into the address field of your web browser. - Administration
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]