[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Transient IDs and SAML Conformance
> - An IDP can successfully respond with assertion responses to > authn requests that contain NameIDPolicy name id format > requests of "...transient "(where the value/xml format > follows the SAML specs). Definitely. > - An SP can successfully create an implementation specific > web session for the transient user (however this is done). > The main point being that the transient user can obtain > access to some protected resources that cannot be accessed > without some type of authntication at the SP. I think access to resources is an application issue. The SP would set up the session, and it should be *possible* to protect an application that would grant access on that basis, but the SP has no way to know that. My point is it's not required for conformance to implement access control in your SP. Many of us might support that, but it's not in the spec. > - An SP (or IDP) can generate a SAML SLO operation (user > initiated, for example), such that the a Single Logout > message can be sent to the IDP (or SP) identifyinig the > transient name if format and value as well as the SAML session index. > - An SP (or IDP) can process a SAML SLO request from an IDP > (or SP) whose NameID uses theh previously created transient > name if format and value as well as the SAML session index. Definitely, since that's entirely orthogonal to the NameID format and semantics. It's just using it as part of the referencing mechanism of the session. > Does everyone agree that the above stmts would be true of ANY > SAML 2.0 conformant IDP/SP implementation? I think I do modulo the notion of "access" to anything. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]