OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Minutes for SSTC Meeting (April/10/2018)


> Am 2018-04-10 um 18:55 schrieb Cantor, Scott <cantor.2@osu.edu>:
> 
>> 1. Roll Call & Agenda Review.
> 
> Thomas, Scott, Hal, Mohammad attended.
> 
>> 2. Need a volunteer to take minutes.
> 
> Scott volunteered.
> 
>> 3. Approval of minutes from previous meeting(s):
>> 
>> - Tuesday January 16th 2018 meeting:
>> 
>> https://lists.oasis-open.org/archives/security-services/201801/msg00004.html
> 
> Hal moved to approve the minutes. Scott seconded, approved.
> 
>> 4. AIs & progress update on current work-items:
>> 
>>  (a) Current electronic ballots
> 
> None.
> 
>>  (b) Status report.
>> 
>>  (c) Updates on Subject Identifier Attributes Profile (Scott)
>> 
>> https://lists.oasis-open.org/archives/security-services/201711/msg00005.html
>> 
>>    -- Start ballot for the subject-id CD/review.
> 
> Scott moved that the TC approve SAML V2.0 Subject Identifier Attributes Profile Version 1.0 WD 04, published at http://www.oasis-open.org/committees/download.php/62437/saml-subject-id-attr-v1.0-wd04.odt,  as a second Committee Specification Draft and designate  the ODT version of the specification as authoritative.
> 
> The response to the comments from the first public review are published at
> https://wiki.oasis-open.org/security/PublicComments20171113-20171212
> 
> Scott further moved that the TC approve submitting the resulting SAML V2.0 Subject Identifier Attributes Profile Version 1.0 CSD 02 upon publication for a 30 day public review.
> 
> Hal seconded, both motions passed.
> 
>>  (d) Any updates: Protocol extension for role change (Rainer).
> 
> Thomas will reach out to Rainer about any further interest in what he had in mind.

The idea was to allow users to change their attributes to a different context without re-authenticating with a different account across SSO-enabled sites. E.g. When I login to a government service I have to choose if I am acting as myself or as director of my limited company. I could also change the context during the active session, however, in this case there is no notification of other SPs about my changed attribute set. This might confuse users.

This use case has been put on the back burner, because this is only relevant for a quite small subset of users doing role change - many users already have different accounts for different purposes. Also, for best UX it would be necessary that applications notify the user about a role change.

Therefore there is no further input from my side for the time being.

Best regards
Rainer

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]