Not at all...the submission is largely focused on the generic assertion flow.
It simply adds additional detail to the current text, and clarifies/corrects
some of the expected usage patterns. There is a SAML profiling of the flow at
the end of the submission, but it's a small percentage of what I submitted.
In terms of format, it suggests:
format
REQUIRED. The format of the assertion as defined by the authorization
server. The format MUST be a URI which designates a profile of the assertion
flow.
I personally think this is all that is required. It would be nice if these
were addressable URIs, but in practice that doesn't happen often, and it does
leave behind some specs which are using urn's.
Could you please take another glance at what I posted? There are a number of
changes to the general assertion flow that are required for it to reflect how
this will be used in a lot of scenarios. Specifically, it:
* Changes the text so the flow is appropriate for on-behalf-of user flows as
well as autonomous, illustrates usage patterns, and indicates this is simply a
basis for consistent profiling
* Adds a bit of detail on parameters in terms of what's required, format,
etc.
* Specifies that error responses defined in a profile may supersede those in
the general assertion flow
* Removes the text around reusing assertions when requesting new access
tokens, as some assertion profiles may be single use assertions; this should be
up to the profile.
So - this works for me - a generic flow is what I was suggesting to begin with.
The SAML profiling can happen elsewhere if an example profile is not required.
Thanks
-cmort
On 4/15/10 12:00 PM, "Eran Hammer-Lahav" <e...@hueniverse.com> wrote:
If I recall correctly, it doesn't define the format parameter, just gives one
fixed value for the SAML flow. Either way, I am suggesting we keep the SAML
flow out of the spec, keeping just the general assertion flow, with better
format definition.
EHL
On 4/15/10 11:55 AM, "Chuck Mortimore" <cmortim...@salesforce.com> wrote:
+1.
Did anyone have a chance to review the proposal I made here? I have a couple
of people from the SAML community reviewing it offline, but would welcome
feedback from this group. The sample text is attached to this post:
http://www.ietf.org/mail-archive/web/oauth/current/msg01735.html
One specific thing to note - the assertion flow is really appropriate for both
autonomous and on-behalf-of user flows, so it will take some special editing to
make that work with the current structure of the intro.
-cmort
On 4/15/10 11:02 AM, "Eran Hammer-Lahav" <e...@hueniverse.com> wrote:
The assertion flow included in the specification doesn't offer enough to
provide interop. Previous discussions ruled out the idea of offering a
single SAML 2.0 based flow.
Proposal: Leave the flow as a generic assertion flow, using SAML 2.0 as an
example, and defining the syntax/values of the format parameter. As long as
the format parameter is well-defined, the rest can be left for
assertion-language-specific specs and implementations.
Needed: Language defining the format parameter in a way which ensures
interop across clients using the same format value (i.e. Registry,
URI-based, etc).
EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
