[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Comments on proposed NameID protocol
Regarding the proposal here: http://www.oasis-open.org/apps/org/workgroup/security/download.php/34221/SAM L%20Name%20Identifier%20Protocol.ppt As I expressed on the last TC call, I don't really understand the intention of this proposal or the claims in the PPT slides about its necessity to avoid certain requirements when introducing new SPs into a federation. Specifically, what is the use case for an IdP caring what an SP's identifiers are? We have a particular case of that in SAML, such that an SP can attach its own aliases to a federated identity for later use, but that doesn't require a new protocol (and is a questionable feature in its own right IMHO). By definition, an IdP knows its users, and it knows their identifiers both internally and the ones it creates/issues for use externally. When a new SP "appears", there isn't any need that I can see for loading the IdP with new information from the SP during the SSO/federation process. I do understand the use case for "bulk" or OOB federation, but this proposal seems to be something different. It's stated purpose is to "free the SP from the need to import all of their Users into IdP databases as soon as they have become part of an IdP's circle of trust". But that's not a need. Instead you simply federate users to the SP as they show up in the IdP->SP direction. So, I think I'm probably missing the point on this. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]