OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] I: [security-services] Token correlation (Nate's summary)

> I think can be useful to post the following conversation with Thinh, it
> help to clarify.

It tells me your use case can be adjusted to solve the problem without the

> Suppose that a business transaction is restarted by the intermediary
> then the IDP issues a new token whose <subject> is set to INT
> and the Service Provider receives a request with a SAML <subject>  set to
> INT.

You can instead set the Subject to the identify of the original source of
the transaction. You can use a DelegationCondition to express the
intermediary as an involved party, and your problem is solved.

This is delegation. I said this on the original call, and in email.

> In my opinion, each SP will need to know the following:
> which business transaction invoked the service,
> who the real requestor is,
> when the IDP issued the token to authorize the transaction execution.

You get all that with delegation.

> Therefore, to produce this information, the intermediary will need to
> the token defined for the original requestor (C1, C2, .Cn)

No, it doesn't.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]