OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Question about the HoK Web Broswer SSO Profile

Harold Lockhart wrote on 2010-02-22:
> 1. A SAML Attribute Statement can be carried in the Assertion, thus allowing
> attributes to be associated with the authenticated identity.

More precisely attributes that aren't inside a certificate and subject to all of the mess that entails (where mess is in the eye of the beholder).

> 2. If only server certificates are being used, the IDP could perform the
> Authnetication for the SP. The SP will still have to know how to do TLS, but
> not, for example how to validate a hardware token.

I suppose that's part of it. To me, the value is in offloading the PKI to the IdP. The SP doesn't have to validate the certificate, it just has to compare it to the one the IdP put in the assertion.

Of course, this would be more compelling if client TLS wasn't so unusable re: the clients and servers, but that's not something we can solve here.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]