[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Protocol extension for role change
> Does anybody know of a similar use case, and which design was selected? > Any other comments? I think it's simpler to leave it to the application. Increasingly people seem to use separate accounts now for this sort of thing. It's like we're back to 1990 and nobody remembers why we stopped using multiple accounts for everything. I don't really like either model (multiple accounts or choosing roles), and would prefer just seeing step-up or reauthentication used if the application wants to guard something more closely (e.g. like a role switch). I can't tell from your description, but it sounds like you mean for a role change (which SAML doesn't define anything about, roles don't exist in the standard) to actually imply a single logout, which we know in practice doesn't work anyway. It seems like a waste of time to engineer a solution to cause logout when that won't actually work. Why bother with that piece? -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]