[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Proposed Enhancement for Dynamic Attribute Queries
On 3/27/12 7:23 PM, "David Chadwick" <d.w.chadwick@kent.ac.uk> wrote: > >So why is the feature in the attribute request message? And has been >there from v1 of SAML? Because copying/emulating basic features of LDAP was one of the original use cases, and because metadata didn't exist in V1 of SAML (nor, I would note, did AuthnRequests at all). >If you have a model of an all attribute providing IDP, and an SP that >offers multiple services with different authz requirements, then you >need a feature such as this I think it's pretty clear that most of us think that metadata is sufficient for *most* such cases, and it handles multiple services just fine, in multiple ways. Where it's not sufficient is mostly with respect to how it identifies attributes, which I haven't evaluated in the context of your proposal yet. There isn't any experience at this point in identifying how far down the complexity scale one has to go to get to the right attribute enumeration mechanism. XACML is, frankly, too complex IMHO. The metadata schema is clearly not complex enough. What I do think is that whatever extension were to be adoped for an AuthnRequest should also be defined as usable in metadata as a replacement for AttributeConsumingService. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]