OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Distinguishing Basic HTTP authentication mechanisms from form-auth

I have a colleague that's been working on the use of SAML with WebDAV, and
one issue that's arising is the need to identify endpoints at an IdP that
can support Basic authentication (or possibly other browser-aware
approaches) from techniques like forms that an HTTP client isn't aware of.

This isn't something that's easily captured by the existing context classes,
since the authentication interaction is a finer-grained distinction on top
of things like PasswordProtectedTransport.

Has anybody had to deal with this before?

It seemed to me the two likely options, other than a combinatorial explosion
of context classes, would be using declaration references instead of
classes, or actually exposing something about the technical details in a
metadata extension in the SSO endpoint elements.

The problem with declaration references is that they just don't scale all
that well without coordination between systems. Classes work well globally
mainly because OASIS defines the strings.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]