OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] RE: SAML shared credential (draft-saml-shared-credential-discussion-01.doc)

Scott Cantor wrote:
> My major concern with this proposal is that I don't think it actually
> addresses the use case because there's nothing in the SwitchUser extension
> that tells the IdP it's supposed to switch from a group to a principal.
> That's only implied. It seems like something else is needed, perhaps the
> AuthnContext part, but that alone would be sufficient to solve the problem.
agreed, we definitely saw <SwitchUser/> working in conjunction with 
other pieces.

The 'if you're not Joe, click here' use case could however be met by 
<Switchuser/> on its own I think.

Maybe <SwitchUser/> needs a reasonForChange attribute?
> I think the TC should decide whether assertions about groups are a
> legitimate function, and if they are, we should define a new NameID Format,
> in the form of a URI, that represents a group.
if that turns out to be the consensus, that would address our use case I 
> In fact, we could go a bit farther, and create a "groups" extension that
> defines a URI that is both a NameID Format and an Attribute Name.
not sure I understand this but lets discuss on call


> -- Scott
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

Paul Madsen                        e:paulmadsen @ ntt-at.com
NTT                                p:613-482-0432

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]