OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Groups -sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded


Hi Tom,

Actually, I have personal experience of a SAML 2.0 IdP implementation that is able to conform to the CD of this profile without significant modifications needed. It's really turned out to be just a matter of having configuration options that cover the signature/encryption requirements for enhanced mode -- the rest is pretty much plain vanilla attribute responder functionality. (The SP side is a little more complicated, but I've found that it's again mostly a configuration issue, not a protocol/profile implementation issue.)

::Ari


> -----Original Message-----
> From: Tom Scavo [mailto:trscavo@gmail.com]
> Sent: Tuesday, August 22, 2006 10:23 AM
> To: Ari Kermaier
> Cc: Scott Cantor; security-services@lists.oasis-open.org
> Subject: Re: [security-services] Groups -
> sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded
> 
> 
> On 8/16/06, Ari Kermaier <ari.kermaier@oracle.com> wrote:
> > >
> > > I would say that if you want to use NameQualifier, you should
> > > define a new
> > > Format, because the existing Format left it unspecified. 
> That's why we
> > > deprecated the use of the attribute for that Format. You'd
> > > run the risk of
> > > expecting NameQualifier to be one thing and somebody 
> having already
> > > implemented it to be something else.
> >
> > Agreed. And I think that the benefit of defining a new 
> Format here is not worth the cost in terms of making existing 
> general-purpose SAML 2.0 IdP implementations ineligible to 
> participate in this profile.
> 
> This is an illusion, I'm afraid.  If it were true that an existing IdP
> deployment could easily participate in this profile (without
> significant modification), we probably wouldn't need this profile (as
> Scott has repeatedly argued).  In fact, a year and a half of effort
> trying to do so suggests otherwise.
> 
> That said, we agree it is probably unwise to define a new Format, so
> we will drop the NameQualifier requirement and use straight
> X509SubjectName.
> 
> A new profile document is forthcoming.  Actually, I've taken the
> liberty to decompose the profile into a related set of reusable
> profiles.  I hope to upload these by the end of this week.
> 
> Tom Scavo
> NCSA/University of Illinois
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]