[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Groups -sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded
Hi Tom, Actually, I have personal experience of a SAML 2.0 IdP implementation that is able to conform to the CD of this profile without significant modifications needed. It's really turned out to be just a matter of having configuration options that cover the signature/encryption requirements for enhanced mode -- the rest is pretty much plain vanilla attribute responder functionality. (The SP side is a little more complicated, but I've found that it's again mostly a configuration issue, not a protocol/profile implementation issue.) ::Ari > -----Original Message----- > From: Tom Scavo [mailto:trscavo@gmail.com] > Sent: Tuesday, August 22, 2006 10:23 AM > To: Ari Kermaier > Cc: Scott Cantor; security-services@lists.oasis-open.org > Subject: Re: [security-services] Groups - > sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded > > > On 8/16/06, Ari Kermaier <ari.kermaier@oracle.com> wrote: > > > > > > I would say that if you want to use NameQualifier, you should > > > define a new > > > Format, because the existing Format left it unspecified. > That's why we > > > deprecated the use of the attribute for that Format. You'd > > > run the risk of > > > expecting NameQualifier to be one thing and somebody > having already > > > implemented it to be something else. > > > > Agreed. And I think that the benefit of defining a new > Format here is not worth the cost in terms of making existing > general-purpose SAML 2.0 IdP implementations ineligible to > participate in this profile. > > This is an illusion, I'm afraid. If it were true that an existing IdP > deployment could easily participate in this profile (without > significant modification), we probably wouldn't need this profile (as > Scott has repeatedly argued). In fact, a year and a half of effort > trying to do so suggests otherwise. > > That said, we agree it is probably unwise to define a new Format, so > we will drop the NameQualifier requirement and use straight > X509SubjectName. > > A new profile document is forthcoming. Actually, I've taken the > liberty to decompose the profile into a related set of reusable > profiles. I hope to upload these by the end of this week. > > Tom Scavo > NCSA/University of Illinois >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]