shibboleth-dev - RE: [Shib-Dev] FW: [security-services] Public Review of SAML 2.0 Profiles
Subject: Shibboleth Developers
List archive
- From: Peter Williams <>
- To: "" <>
- Subject: RE: [Shib-Dev] FW: [security-services] Public Review of SAML 2.0 Profiles
- Date: Mon, 30 Mar 2009 15:06:03 -0700
- Accept-language: en-US
- Acceptlanguage: en-US
I hope I don't sound like a broken record.
Who is the"we"? ( as in we dont like...)
Some liberty group, some vendor group, some shib community group, some
internet2 project group of experts?
Is there any intent that this delegation control applies to any "oauth
context"?
-----Original Message-----
From: Scott Cantor
<>
Sent: Monday, March 30, 2009 2:41 PM
To:
<>
Subject: RE: [Shib-Dev] FW: [security-services] Public Review of SAML 2.0
Profiles
Peter Williams wrote on 2009-03-30:
> What is the "impending problem" - that didn't exist 3 years ago with
> sufficient imperative?
Three years ago the goal was to get SAML 2 out the door, not deal with web
services and delegation.
Liberty didn't care about the result of handing a delegated assertion to
software that wasn't expecting it, because they had to assume entirely new
software to support web services. We're reusing ECP to support arbitrary
HTTP-based applications, which means we'd be potentially handing them to an
existing SP.
We don't like the idea of an SP silently accepting a delegated SSO assertion
without any intervention by the deployer, ergo the extension to identify
delegates has to have critical semantics. Conditions are the only extension
mechanism that do.
-- Scott
- RE: [Shib-Dev] FW: [security-services] Public Review of SAML 2.0 Profiles, Peter Williams, 03/30/2009
- RE: [Shib-Dev] FW: [security-services] Public Review of SAML 2.0 Profiles, Scott Cantor, 03/30/2009
Archive powered by MHonArc 2.6.16.