shibboleth-dev - RE: [Shib-Dev] FW: [security-services] Public Review of SAML 2.0 Profiles
Subject: Shibboleth Developers
List archive
- From: Peter Williams <>
- To: "" <>
- Subject: RE: [Shib-Dev] FW: [security-services] Public Review of SAML 2.0 Profiles
- Date: Tue, 7 Apr 2009 00:09:54 -0700
- Accept-language: en-US
- Acceptlanguage: en-US
Is there any intent that the delegation controls would constrain handling of
the cleartext form of the encrypted nameid that is, itself, an assertion?
> -----Original Message-----
> From: Scott Cantor
> [mailto:]
> Sent: Monday, March 30, 2009 2:41 PM
> To:
>
> Subject: RE: [Shib-Dev] FW: [security-services] Public Review of SAML
> 2.0 Profiles
>
> Peter Williams wrote on 2009-03-30:
> > What is the "impending problem" - that didn't exist 3 years ago with
> > sufficient imperative?
>
> Three years ago the goal was to get SAML 2 out the door, not deal with
> web
> services and delegation.
>
> Liberty didn't care about the result of handing a delegated assertion
> to
> software that wasn't expecting it, because they had to assume entirely
> new
> software to support web services. We're reusing ECP to support
> arbitrary
> HTTP-based applications, which means we'd be potentially handing them
> to an
> existing SP.
>
> We don't like the idea of an SP silently accepting a delegated SSO
> assertion
> without any intervention by the deployer, ergo the extension to
> identify
> delegates has to have critical semantics. Conditions are the only
> extension
> mechanism that do.
>
> -- Scott
>
- RE: [Shib-Dev] FW: [security-services] Public Review of SAML 2.0 Profiles, Peter Williams, 04/07/2009
- RE: [Shib-Dev] FW: [security-services] Public Review of SAML 2.0 Profiles, Scott Cantor, 04/07/2009
Archive powered by MHonArc 2.6.16.