OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: proposed text for Section 4.5 "Use of Attributes"

(1) Remove Section 4.4.5

(2) Add a new section 4.5, "Use of Attributes"

As explained in Section 2.2, the SAML assertion transferred from an 
identity provider to a service provider may include attributes 
describing the user. The ability to transfer attributes within an 
assertion is a powerful SAML feature and it may also be combined with 
the forms of identity federation described above. 

We describe some typical use patterns:

1. Transfer of profile information

Attributes may be used to convey user profile information from the 
identity provider to the service provider.This information may be used 
to provide personalized services at the service provider, or, to augment 
or even create a new account for the user at the service provider. The 
user should be informed about the transfer of information, and, if 
required, user consent explicitly obtained.

2. Authorization based on attributes

In this model, the attributes provided in the SAML assertion by the 
identity provider are used to authorize specific services at the service 
provider. The service provider and identity provider need prior 
agreement (out of band) on the attribute names and values included in 
the SAML assertion. An interesting use of this pattern which preserves 
user anonymity but allows for differential classes of service is found 
in Shibboleth [CITE]: federation using transient pseudonyms combined 
with authorization based on attributes.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]