security-services message

Subject: RE: [security-services] question on MNI request for SP Lite/IdP Lite

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'ARI KERMAIER'" <ARI.KERMAIER@oracle.com>,"'Kyle Meadors'" <kyle@drummondgroup.com>,<security-services@lists.oasis-open.org>
Date: Wed, 25 Mar 2009 19:34:52 -0400

ARI KERMAIER wrote on 2009-03-25:
> have two questions which I would like feedback from SSTC on. 	[Ari
> Kermaier] What business does a Lite implementation have using persistent
> NameIDs? My (admittedly dim) recollection of the origins of this
> conformance mode is that it stemmed from the concern of some SP
> implementers that they could not be conformant unless they had account
> linking data storage that would persist from one user session to the
> next. It seems to me, that the idea of a Lite implementation is
> inconsistent with the persistent NameID processing rules, and that
> differentiating based on support for MNI is really just a proxy for
> differentiating based on persistence.

Technically the rules involved aren't specific to persistent IDs, at least
on the SP side. Definitely some impact on the IdP side. The other component
had to do with server-side state (e.g. back channel logout, which means you
can't leave the state solely in a cookie).

But I think it was a mistake to make those features MUST NOT. More than one
person has asked what that means, and I can't come up with an answer.

-- Scott

References:
- question on MNI request for SP Lite/IdP Lite
  - From: "Kyle Meadors" <kyle@drummondgroup.com>
- RE: [security-services] question on MNI request for SP Lite/IdP Lite
  - From: ARI KERMAIER <ARI.KERMAIER@oracle.com>