OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Transient IDs and SAML Conformance

> - An IDP can successfully respond with assertion responses to 
> authn requests that contain NameIDPolicy name id format 
> requests of "...transient "(where the value/xml format 
> follows the SAML specs).


> - An SP can successfully create an implementation specific 
> web session for the transient user (however this is done). 
> The main point being that the transient user can obtain 
> access to some protected resources that cannot be accessed 
> without some type of authntication at the SP.

I think access to resources is an application issue. The SP would set up the
session, and it should be *possible* to protect an application that would
grant access on that basis, but the SP has no way to know that. My point is
it's not required for conformance to implement access control in your SP.
Many of us might support that, but it's not in the spec.

> - An SP (or IDP) can generate a SAML SLO operation (user 
> initiated, for example), such that the a Single Logout 
> message can be sent to the IDP (or SP) identifyinig the 
> transient name if format and value as well as the SAML session index.
> - An SP (or IDP) can process a SAML SLO request from an IDP 
> (or SP) whose NameID uses theh previously created transient 
> name if format and value as well as the SAML session index.

Definitely, since that's entirely orthogonal to the NameID format and
semantics. It's just using it as part of the referencing mechanism of the

> Does everyone agree that the above stmts would be true of ANY 
> SAML 2.0 conformant IDP/SP implementation? 

I think I do modulo the notion of "access" to anything.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]