[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Question to SSTC -- RE: Questions Regarding SAML 2.0 Conformance
>I went through the eGov SAML profile, and it is on-point with the key >things >we need to do, which are allow for Web SSO and import certain LDAP >attributes, which include group and OU. Regarding this last item, it is >not >clear whether we have the opportunity to obtain group/OU from the >Authentication Response or whether we need to do a separate attribute >query. >I would be very appreciative if you have any suggestions on this. That's a deployment choice, but most implementations don't tend to have integrated SSO + query support and assume that those are separate, unrelated roles. >Can you explain the rationale behind the following statement within the >eGov >profile in Section 2.5.3.2?: Identity Provider implementations MUST allow >the number of <saml2:Assertion>, <saml2:AuthnStatement>, and ><saml2:AttributeStatement> elements in the <saml2p:Response> message to be >limited to one. In turn, Service Provider implementations MAY limit >support >to a single instance of those elements when processing <saml2p:Response> >messages. There are no particular use cases for using multiple statements to represent a single authentication act, and limiting things to one makes implementation much simpler. >Please correct me if I am wrong, but my conclusion thus far is that >discussing SAML v2 compatibility is not that valuable, and that it is more >useful to talk about conformance to specific profiles, like those >documented >in the eGov profile you referred me to and the SAML v2 Profiles document. Right. There is no such thing as "SAML compatibility", only conformance to profiles. >Lastly, do you know of a good book on SAML that will help provide some of >the context that you so kindly shared with me? Before I contacted your >committee, I tried to find a SAML reference book that I could read to get >up >to speed, and did not come across anything that looked good. Hopefully, >you >know of a book that you can mention to me. I am not aware of any, I'm afraid. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]