OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Comments on sstc-saml-tech-overview-2.0-draft-0.4-diff.pdf (Section 2)


(A) Propose consolidation of bullet 1 (line 137) and bullet 2 (line 143). I would suggest use of the heading:

SSO Interoperability:

adding most of the material under "Limitations of browser cookies" to the paragraph describing SSO interoperability challenges and value.

 

(B) replace "Federation" by "Federated Identity" on line 151. The following text to replace lines 151-153:

Federated identity deals with the sharing of information about user identities across organizational boundaries while maintaining privacy protection. From an administrative perspective, this type of sharing can help reduce identity management costs as multiple organizations can avoid independently collecting and maintaining identity-related data. From a user-centred viewpoint, as explained under SSO interoperability, this also results in an enhanced user-experience with fewer sign-ons.

 

(C) Section 2.1:

Add following text before "As CarRentalInc.com trusts..." on line 164.

In this case, the user's identity is federated between AirlineInc.com and CarRentalInc.com by business agreement between the business partners with certain attributes (user name, membership level) being used to describe the user.

(D) Section 2.2

Propose re-naming this to be "Account-linking Use Case". I would argue that both use-case scenarios refer to federated identity but that 2.2 further builds on it to add account linking capabilities.

Remove first sentence from line 170.

Replace line 174 beginning at "Account linking ..."

SAML 2.0 supports a model for federated identity based upon pseudonyms. A pseudonym is a privacy preserving identifier shared between a few entities. In this use case, AirLineInc.com describes the user to CarRentalInc.com and HotelBooking.com using (distinct) pseudonyms. Each of CarRentalInc and HotelBookings can link the pseudonym to the existing user account, once user consent has been obtained. In subsequent access, the user will only need to login once to to AirLineInc.com and conduct business at CarRentalInc.com and HotelBookings.com using account information available at these sites.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]