OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Comments on proposed NameID protocol


Regarding the proposal here:
http://www.oasis-open.org/apps/org/workgroup/security/download.php/34221/SAM
L%20Name%20Identifier%20Protocol.ppt

As I expressed on the last TC call, I don't really understand the intention
of this proposal or the claims in the PPT slides about its necessity to
avoid certain requirements when introducing new SPs into a federation.

Specifically, what is the use case for an IdP caring what an SP's
identifiers are? We have a particular case of that in SAML, such that an SP
can attach its own aliases to a federated identity for later use, but that
doesn't require a new protocol (and is a questionable feature in its own
right IMHO).

By definition, an IdP knows its users, and it knows their identifiers both
internally and the ones it creates/issues for use externally. When a new SP
"appears", there isn't any need that I can see for loading the IdP with new
information from the SP during the SSO/federation process.

I do understand the use case for "bulk" or OOB federation, but this proposal
seems to be something different. It's stated purpose is to "free the SP from
the need to import all of their Users into IdP databases as soon as they
have become part of an IdP's circle of trust". But that's not a need.
Instead you simply federate users to the SP as they show up in the IdP->SP
direction.

So, I think I'm probably missing the point on this.

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]