OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: proposal for SAML Attribute Management Protocol

Hi Thinh, Cristian,

I reviewed your proposal for adding some attribute management messages 
to SAML.

This area is generally of interest to us - broadly speaking the idea 
that relying parties will
contribute information about users - act as authorities in their own 
right - and further this information may need to be
conveyed to other parties (not just to IdPs).

One concern is that management and propagation of identity data did not 
occupy an important
place in the original SAML use-cases. Instead, SSO, with only a modest 
role for attributes, is the
main focus of the effort. For example, many attributes originate from 
authorities distinct from an
IdP (entity that manages authentication) but this plays a small role in  
the SAML protocols - though
SAML 2.0 does provide the AttributeQuery message for interaction with an 
identity authority. So
there is a precedent within SAML 2.0 for your proposal.

We have been working on IGF, a framework that models a world wide 
network of authorities that
provide identity data about subjects. At the other end, there are 
business services that require identity data in order to be effective,
but may also assert identity information - and this may also be 
published to authorities.
I encourage you to take a look at the use-case document, it captures a 
broad range of interactions between
consumers and producers of identity data - and also focuses on the 
privacy properties of these interactions.


The CARML specification is more focused on specific interactions 
originating from a relying party - the introduction in particular
may be helpful in conveying the main focus of the project.

We have NOT built a run-time protocol that models the interactions of 
interest to us. There are many reasons for this, but the main
point is that we havent addressed this issue yet, and filling this gap 
could provide an area of common interest for several of us.

One idea would be to extend your proposal,
so that rather than being a small extension to the existing SAML 
protocols, it becomes a comprehensive set of messages that
describe the interactions between an identity authority and a relying 

- prateek

> The document named SAML Attribute Mgt Protocol (SAML Attribute Mgt
> Protocol.ppt) has been submitted by Mr. Thinh Nguyenphu to the OASIS
> Security Services (SAML) TC document repository.
> Document Description:
> SAML Attribute Mgt Protocol proposal
> View Document Details:
> http://www.oasis-open.org/committees/document.php?document_id=34222
> Download Document:  
> http://www.oasis-open.org/committees/download.php/34222/SAML%20Attribute%20Mgt%20Protocol.ppt
> PLEASE NOTE:  If the above links do not work for you, your email application
> may be breaking the link into two pieces.  You may be able to copy and paste
> the entire link address into the address field of your web browser.
> -OASIS Open Administration

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]