OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Question to SSTC -- RE: Questions Regarding SAML 2.0 Conformance

>I went through the eGov SAML profile, and it is on-point with the key
>things
>we need to do, which are allow for Web SSO and import certain LDAP
>attributes, which include group and OU. Regarding this last item, it is
>not
>clear whether we have the opportunity to obtain group/OU from the
>Authentication Response or whether we need to do a separate attribute
>query.
>I would be very appreciative if you have any suggestions on this.

That's a deployment choice, but most implementations don't tend to have
integrated SSO + query support and assume that those are separate,
unrelated roles.

>Can you explain the rationale behind the following statement within the
>eGov
>profile in Section 2.5.3.2?: Identity Provider implementations MUST allow
>the number of <saml2:Assertion>, <saml2:AuthnStatement>, and
><saml2:AttributeStatement> elements in the <saml2p:Response> message to be
>limited to one. In turn, Service Provider implementations MAY limit
>support
>to a single instance of those elements when processing <saml2p:Response>
>messages.

There are no particular use cases for using multiple statements to
represent a single authentication act, and limiting things to one makes
implementation much simpler.

>Please correct me if I am wrong, but my conclusion thus far is that
>discussing SAML v2 compatibility is not that valuable, and that it is more
>useful to talk about conformance to specific profiles, like those
>documented
>in the eGov profile you referred me to and the SAML v2 Profiles document.

Right. There is no such thing as "SAML compatibility", only conformance to
profiles.

>Lastly, do you know of a good book on SAML that will help provide some of
>the context that you so kindly shared with me? Before I contacted your
>committee, I tried to find a SAML reference book that I could read to get
>up
>to speed, and did not come across anything that looked good. Hopefully,
>you
>know of a book that you can mention to me.

I am not aware of any, I'm afraid.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]