On 11/8/12 5:14 PM, "gabilm" <[email protected]> wrote: > >Lets take into account that SAML signature means that the idp does >assert the attributes belongs to a user (subject). Radsec signature >means you are authenticating a party, the idp. So it should be clearly >specified when we can make use of one or another.
I would dispute that SAML itself dictates any explicit sort of semantic like that. In most SAML profiles, the goal is to transmit the data with origin authentication of the IdP, and that's it. There's no distinction (in SAML itself) based on whether transport protection or message protection is used, or which message layer is signed. Most relying party implementations don't make such distinctions, though of course they might let deployers make them by disabling some options or requiring others. But in SAML profiles or usage scenarios in which, for example, you don't have direct connectivity to the IdP so a signature has to be used, it doesn't follow that some kind of special legalistic semantic is in play. -- Scott _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
