RE: [security-services] Some tech overview comments

["Scott Cantor" <cantor.2@osu.edu>]

> While I think ECP is actually quite clever, is it not, actually,
> more often, in pre-existing devices/architectures, used like a
> prosthetic/remediation profile? And wouldn't -most- new clients
> be wise to study closely, and give initial favor to, the other
> profiles? Which gets to Brian's questions in:

Well, no. The browser profile is the one to avoid, especially when designing
new work. ECP, and its Liberty variants and profiles of plain SOAP SSO are
the ones to use for most use cases. They address discovery and support all
applications that can handle SAML assertions as an attachment.

If anything we undersell ECP, but that's mainly because you need ID-WSF to
maximize its usefulness.

> 5.2 ECP Profile
> The browser SSO profile discussed above works with popular web
> browsers, fully-featured web libraries and tool kits, and many
> embedded implementations. This section, in contrast, describes
> a SAML V2.0 profile which fits when, to participate in SAML V2.0
> use cases, a client deployment context requires assistance
> through proxy service, or requires enhancement.

But this is simply wrong. It is for clients that have intelligence. The
proxy/WAP angle is the one I find silly. I'm sure that matters to a
particular niche, but it's not appropriate for an overview.

None of this is to disagree with Brian's points...I think there's a place to
talk about ECP but not as a basic example of what's currently in the spec
and in wide use.
 
-- Scott