wg-pic - Re: [wg-pic] SAML use cases
Subject: Presence and IntComm WG
List archive
- From: Peter Saint-Andre <>
- To:
- Subject: Re: [wg-pic] SAML use cases
- Date: Wed, 28 Oct 2009 14:19:12 -0600
- Openpgp: url=http://www.saint-andre.com/me/stpeter.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/28/09 2:01 PM, Tom Scavo wrote:
> On the last call, I was asked to describe the use of SAML in
> conjunction with X.509. Before I go off ranting and raving about
> something that may turn out to be totally irrelevant for this group,
> let me see if I understand the basic requirements I thought I heard on
> the call. You're looking for a way to do back-channel
> (server-to-server) access control, that is, an XMPP server calls out
> to another XMPP server for an access control decision (or attributes
> that can be used to make an access control decision). Am I even
> halfway close to the truth? :-)
I think the communication could happen over HTTP instead of XMPP. For
example, using my XMPP client I try to access a protected resource (say,
a chatroom) at a remote XMPP service. The remote service discovers the
canonical attribute authority for the domain of my local XMPP service
and sends a normal Shib request to that AA using HTTP. Yes, the remote
XMPP service would need to have the smarts to discover my AA and send it
a request over HTTP, but I'm assuming we have code for that and the
software running at the remote XMPP service would need to install some
kind of shim to use the Shib code.
> Close or not, consider this alternative use case (which for some
> reason is the one I think I want to solve): Suppose I had a
> browser-based group chat client. (I assume such things exist.)
Indeed:
http://xmpp.org/software/clients.shtml#web
> Now
> protect this client with a Shibboleth Service Provider (or any
> implementation of a SAML Service Provider) and map the supplied group
> membership attribute(s) to the corresponding chat room(s).
But doesn't this constrict us to the use of a web client?
> The latter seems fairly straightforward compared to the former, so
> this is where I think I need to start. Why is it thought that the
> former is the problem we want to solve?
Because there is a huge installed base of XMPP-capable clients on just
about every computing platform known to man. It would be great if they
could Just Work [tm]...
Peter
- --
Peter Saint-Andre
https://stpeter.im/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrop0AACgkQNL8k5A2w/vy2dACgukFwFnVk8Y40m1sE+hvAoM70
IPMAn3Ge9WyoGtPiEtZCh18LTPn9b35e
=RCwA
-----END PGP SIGNATURE-----
- SAML use cases, Tom Scavo, 10/28/2009
- Re: [wg-pic] SAML use cases, Peter Saint-Andre, 10/28/2009
- Re: [wg-pic] SAML use cases, Tom Scavo, 10/28/2009
- Re: [wg-pic] SAML use cases, Peter Saint-Andre, 10/28/2009
- Re: [wg-pic] SAML use cases, Tom Scavo, 10/28/2009
- Re: [wg-pic] SAML use cases, Peter Saint-Andre, 10/28/2009
- Re: [wg-pic] SAML use cases, Tom Scavo, 10/28/2009
- Re: [wg-pic] SAML use cases, Peter Saint-Andre, 10/28/2009
Archive powered by MHonArc 2.6.16.