Re: [security-services] RE: SAML shared credential (draft-saml-shared-credential-discussion-01.doc)

[prasanta behera <pkb.prasanta@gmail.com>]

How realistic is the shared credential use case? The example used is
phone. The only use case I have experienced is where the Credt card can
be activated based on your registered phone ( You make the call - punch
in the CC # and if you have made call via the registered phone - the CC
is activated). In a mobile phone or "Digital Home" (shared resource),
it will not be hard to support a switch user model but each user
authenticate using the credential they own.

Any real use case which can help.

Thanks,
/Prasanta

On 1/31/06, Scott Cantor <cantor.2@osu.edu> wrote:

My major concern with this proposal is that I don't think it actually
addresses the use case because there's nothing in the SwitchUser extension
that tells the IdP it's supposed to switch from a group to a principal.
That's only implied. It seems like something else is needed, perhaps the
AuthnContext part, but that alone would be sufficient to solve the problem.

I think the TC should decide whether assertions about groups are a
legitimate function, and if they are, we should define a new NameID Format,
in the form of a URI, that represents a group.

In fact, we could go a bit farther, and create a "groups" extension that
defines a URI that is both a NameID Format and an Attribute Name.

-- Scott


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php