[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Re: Proposed Agenda for SSTC Call (May 18,2010)
>> Another way to approach this would be to embed an Assertion inside an >> AuthnRequest via an Extension as the provisioning flow, and perhaps >> duplicate the assertion subject into the AuthnRequest to "connect" them. >> That's just the inverse of my suggestion. That might be more consistent with >> existing flows but without fundamentally reinventing anything. > >Forgot to mention, obviously this is superficially more like the original AddSubject proposal that I was objecting to, but the difference is: > >- it's not a new protocol, rather it's carried along with a standard SSO request >- it's front-channel, with security properties that are already understood >- the assertion acts as a security token and has subject confirmaation, an audience, etc., rather than just acting as data Ah, now I see what you and Ari were getting at. Sorry to have been dense on the call. If we're committed to the idea of using a <Response> as confirmation of success/conveyance of information about the new principle to the initiating provider, I think doing it this way actually makes a lot of sense. No new endpoints in the metadata would be needed, either. I'll think a little more about it, but on first blush, I prefer this approach.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]