OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Agents and web services

Mr Alistair Young added the following comment to the sstc-saml-x509-authn-based-attribute-protocol-profile-2.0-draft-02.pdf document in the OASIS Security Services (SAML) TC Group.

Would it be possible to expand on the part where the principal offers an X509 certificate to the SP?
Does the IdP issue it on behalf of the principal after authentication? If so, why use an X509. Just use AuthenticationStatement.

If the ConfirmationMethod is holder-of-key, how to stop malicious agents trawling an LDAP store, gathering X509s and authenticating to the SP as those users?

The X509 profile is interesting in the agent scenario, where a service has to query attribute stores on behalf of a user. No HTTP user agent is involved, rather it's communication between web services, with authentication via X509.

A use case is a VLE asking for student attributes from an ES enabled SRS to update group permissions. It would be done at the agent level and the SRS will have to have some way to authenticate the agent and verify that it has enough permissions (defined at it's IdP) to ask for the data.

View Document Details and Comments:

Download Document:  

PLEASE NOTE:  If the above links do not work for you, your email application
may be breaking the link into two pieces.  You may be able to copy and paste
the entire link address into the address field of your web browser.

- Administration

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]