OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Comments on proposed NameID protocol

George Fletcher wrote on 2009-10-02:
> Where I'm confused with the proposal is how does the IdP authenticate a
> user for which it has no credentials?

Exactly. The identifier isn't relevant (and the IdP doesn't need it).

> It seems like if an SP joins a CoT
> it has to provide a legacy auth mechanism for its existing users. It can
> also support and upgrade path that allows it's existing users to
> associate/link/bind their IdP identifier to their existing SP "account".


> This binding process is sort of the inverse of this proposed protocol.

Yes, and that's pretty much what federation via SSO *is*, the inverse.
That's how it's assumed to work.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]