El 08/11/12 23:52, Cantor, Scott escribió: > On 11/8/12 5:14 PM, "gabilm" <[email protected]> wrote: >> Lets take into account that SAML signature means that the idp does >> assert the attributes belongs to a user (subject). Radsec signature >> means you are authenticating a party, the idp. So it should be clearly >> specified when we can make use of one or another. > I would dispute that SAML itself dictates any explicit sort of semantic > like that. In most SAML profiles, the goal is to transmit the data with > origin authentication of the IdP, and that's it. There's no distinction > (in SAML itself) based on whether transport protection or message > protection is used, or which message layer is signed. Most relying party > implementations don't make such distinctions, though of course they might > let deployers make them by disabling some options or requiring others. > > But in SAML profiles or usage scenarios in which, for example, you don't > have direct connectivity to the IdP so a signature has to be used, it > doesn't follow that some kind of special legalistic semantic is in play. I agree. Of course, in both cases you are authenticating the idP, my concern is that it seems SAML authentication and RadSec authentication are equivalent. For example, what does it happen if the home organization radius and idP servers are no co-located, for example, if the organization has a shibboleth idP that wants to connect to the abfab infrastructure. You could have SAML and Radsec signatures from different entities.
regards, Gabi. > > -- Scott > > -- ---------------------------------------------------------------- Gabriel Lpez Milln Departamento de Ingeniera de la Informacin y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: [email protected] _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
