OpenSAML user discussion

["Scott Cantor" <>]

> Prasad, can you explain a bit more what you mean by "user
> provisioning"?  Surely, a SAML service provider might create a user
> account on the basis of a (strong) SAML assertion returned from a
> (trusted) SAML identity provider, but that seems to defeat the purpose
> of a SAML browser profile altogether.

Why? That's probably a good summation of a majority of the actual
deployments out there, except that they probably don't create the account at
the time of login, it's in advance.

In the sense that you can dynamically provision based on attributes/claims,
that's certainly an obvious use of SAML to do "provisioning". One might also
lump name identifier mgmt into the provisioning category (it was one reason
some of the TC didn't want to do it).

The original Shib idea of "send only attributes, grant transitory access"
seems to be the minority, not the primary use case. Today anyway.

-- Scott