OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] Question on SP initiated authentication & provisioning first time user


One of the big drivers for modification is definitely identity  
portability between IDPs.

However we must also assume that because business applications  
generate value, then they often build knowledge (i.e. attributes)  
about users (e.g. and HR system knows about employees, eBay knows  
about reputation, etc). So it is reasonable that the SP may also wish  
to provision attributes.

The problem as I see it is:

1. Agreement to exchange may need to be negotiated (or assumed)
2. Given SAML's identifier requirements, the add / modify requirement  
must support SAML's notion of identifiers --> does this imply a  
requirement for a SAML defined/specified solution or profile of  
another protocol agreed upon within SAML?

Phil
phil.hunt@oracle.com




On 29-Apr-10, at 2:35 PM, Scott Cantor wrote:

>> Provisioning of claims seems to be a natural part of the life-cycle
>> between SPs and IDPs. After-all, SPs also generate claims themselves.
>
> Yes, but many IdPs will be unwilling to store them IMHO.
>
>> That said, I agree, provisioning probably isn't a big issue right now
>> if your use case focuses on SSO and can use bulk provisioning  
>> within a
>> tight vertical.
>
> I'm still not getting the provisioning problem you're trying to solve,
> unless it's identity portability.
>
>> I agree, SPML could potentially work fine if agreed on an profiled in
>> the context of SAML. Without that, the real issue is too many choices
>> and no agreement in advance on standards.
>
> Of course.
>
>> SAML also has a different way of handling identifiers.  Would SPML be
>> compatible with SAML use cases?
>
> I would have assumed SPML wasn't crazy enough to try to dictate  
> identifiers.
>
> -- Scott
>
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]