security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: SAML Tech OV Comments (on draft 7)
- From: Thomas Wisniewski <Thomas.Wisniewski@entrust.com>
- To: SAML <security-services@lists.oasis-open.org>
- Date: Tue, 2 Aug 2005 10:26:31 -0400
Title: Message
John, nice job
articulating the fed cases. Here are some comments on draft
7:
line 236: s/by
either/by a/
line 463 s/provided
by WSS/provided WSS/
line 576: s/request
is "pushed"/request "pushed"/
line 622 s/may
obtain/may provider obtain/
line 630:
s/an/current an/
General comment
regarding Artifact Resolution Service in the multiple diagrams/text. Basically,
do you use SAML Responder but rather call this box Artifact Resolution Service
(just like you have Assertion Consumer Service or Single Sign-On Service). Also,
in figure 16 (and in figure 19) you have a step like Redirectwith
<AuthnRequest>. The Authn Request is not present here. Instead ths should
look like "POST SAMLart", then "SAMLart in HTML Form" -- basically identical to
figure 17.
line 873: says that
the figure shows an HTML form -- but the figure actually shows a Redirect. If
you change this based on my comment above to be "POST SAMLart" then the text on
line 873 will be correct.
Section 4.4.1
(persistent and transient IDs). I'm not sure whether we should qualify these
with SAML (e.g., SAML persistent identifiers, and SAML transient identifiers).
The use cases are talking about these 2 SAML formats defined in the spec, so
perhaps it makes sense to qualify them -- at least on lines 1031, 1034, 1093,
and 1164.
line 1041:
s/Band/band/
line 1045: note that
when you mention "persistent identifiers" in this use case, you are NOT talking
about SAML persistent identifiers but rather using the adjective persistent to
mean the ids persists at the provider sites. Perhaps change the text to say
"This form of account linking uses identifiers that persist at the corresponding
sites."
line 1081 (as well
as probably 7 more locations in this chapter): s/The member level
attribute ("gold")/The attributes "gold member"/
line 1096: fix the
text "examples will shall illustrate"
line 1101:
s/latter/later/
figure 26 and 27:
I'm not sure what the top left most data implies (i.e., "jdoe" User based
account). I would suggest removing this. Or perhaps creating a corresponding
entry at the IDP as well.
line 1108 (as well
as a few more locations in this chapter -- in the same spot): s/an
HTTP/a HTTP/
line 1116 (as well
as a few more locations in this chapter -- in the same spot): s/an
HTML/a HTML/
line 1130 (as well
as a few more locations in this chapter -- in the same spot): s/is
created/created is/
Figure 27: In the SP
table, for jroe, cahnage n/a to be 61612. The n/a can be defined for 15152 if
you want, but the IDP name id is always valued (if the IDP is the originator --
which is the case in this
example).
line 1165: s/but
what/what/
line 1165: s/do not
want/do want/ is this correct? Or were you trying
to say something else here??
lines 1189 and 1211:
s/"1357"/1357/
lines 1195 and 1217:
s/based on/based in/
lines 1239, 1243,
1259, 1263: s/may be/is/ since we are using soap, dig sig is
optional.
lines 1240 and 1260:
s/signature, if
necessary, ensuring//signature ensuring/
lines 1241 and 1261:
s/provider/Provider/
line 1268: s/using the front channel HTTP
Redirect binding/using the redirect binding/
line 1268: s/SOAP back channel
binding/back channel/
line 1270:
s/initiating/instigating/
Figure 30: Perhaps add SOAP on top of the
2 links.
Figure 31: Perhaps add SOAP on top of the
2 links.
Figure 32: Perhaps add HTTP Redirect on
top of links 2 and 5; and add SOAP on top of links 3 and
4.
Figure 33: Perhaps add SOAP on top of the
4 links.
For the SSO Figures, perhaps add SOAP on
top of the ArtifactRequest and ArtifactResolve
links.
Figures 31 and 32: add to figure title
"...- service provider initiated" to align with Figure
33.
Figure 33: Change link labels 3 and 4. The
idea is that you contact each one individually. So you would call Car Rental
with a Logout Request and then get back a Logout Response. Then you would call
Hotel Inc, etc....
line 1463: extra tabs after
[XACML]
Tom.
Thomas Wisniewski
Software Architect
Phone: (201)
891-0524
Cell: (201) 248-3668
EntrustÒ
Securing Digital Identities
& Information
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]