OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Groups - saml-session-token-v1.0-wd03.pdfuploaded

> My thinking was that it would be hard to get agreement on the processing
> steps. I decided to simply say what fields were required and what their
> semantics are. Even if it was normative, most of the steps would be optional.
> Suppose instead of changing section 3 I add wording to sections 5 & 6 to
> make the reading and writing steps more explicit?

I'd probably need to see a specific proposal, but I guess I'm just saying that I'd like to see the specific assertion profile be explicit for interoperability.

> > Section 4: does this NameID have a connection to a NameID in
> > a SAML SSO context?
> I am probably missing some subtle point, but I did think they were the same.
> If the session started with an IDP authenticating the user and generating a
> SAML assertion with an authentication statement, then I assume the
> NameID in the session token would be the same and the entire
> authentication statement would be copied into the session token.

Ok, the problem there is that the NameID isn't required during SSO.

> I guess I could eliminate the requirement. In the environments this is
> targeted at the NameID, whether long term or pseudonymous, is used as a
> lookup key to find other attributes for access control. It also may be used by
> the application in various ways.

What I'd probably expect, I suppose, is creating a new format, perhaps, or using a transient, and using the session key as the NameID.

> > Are Conditions allowed, or just times? If not, we should say that.
> I assumed anything defined by SAML which is not mentioned may optionally
> be used. I can say so explicitly.

It comes back to the assertion profile, I just want it to be clear.

> > Why is SessionStart needed if it's guaranteed to match
> > AuthnInstant anyway?
> Originally, I allowed any number of authentication statements and defined
> session start as being the most recent. It was decided to change this to say
> that there is just one authentication statement. I left SessionStart in thinking
> I might get some push back on this definition. I am still inclined to leave it as a
> hedge against the future.

I guess I just figure smaller is better.

> There doesn't seems to be any standard for cookie compression. Surely you
> weren't thinking of EXI? I don't think that would drive adoption. Do you have
> something specific in mind?

Just DEFLATE or whatever, nothing unusual.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]