Re: [security-services] Re: Proposed Agenda for SSTC Call (May 18, 2010)

[Phil Hunt <phil.hunt@oracle.com>]

Thanks for the discussion on this. Really appreciate your input...keep  
it coming!

Unfortunately I'm stuck in meetings all week or I'd be in the dialog.   
But just wanted to say, you seem to have the issues understood from my  
perspective.

I think one important item that was raised is that the SP would like  
to get control back from the Target IDP regardless of success/ 
failure.  One discussion point raised on the call is that the SP may  
then wish to issue a de-provision request with the "local IDP" (we can  
talk about that particular operation later). It does seem to me that  
it would be bad news if the SP did that without knowing the success or  
failure of the original request because the user got "stuck" at the  
Target.  Never-the-less, maybe this could be a situation that "auto- 
heals" if the user shows up at a future date having been authenticated  
by the Target IDP first.

Phil
phil.hunt@oracle.com




On 19-May-10, at 8:55 AM, Scott Cantor wrote:

>> An IdP would be very unlikely to expose an AssertionConsumerService  
>> by
>> accident, but I can see your point.
>
> AFAIK, many commercial products are gateways and include both roles  
> in many cases.
>
> -- Scott
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>